Metasploit mailing list archives
Re: Bypassing AV for Java payloads
From: Michael Schierl <schierlm () gmx de>
Date: Sat, 02 Aug 2014 22:50:56 +0200
Am 02.08.2014 um 21:44 schrieb HD Moore:
It looks like framework uses the metasploit-javapayload repository, which has support for Android, but may be missing some of the code written between 10-12 months ago in your repository.
In fact, the two repos forked somewhen in 2010 off JavaPayload-1.0.zip, even before the point where I put it into the SVN repo that was later converted to my Git repo (Yes, all the time from JavaPayload 1.0 to 1.1, there did not exist any source control repo at all, primarily because I thought it won't get that big). And the code base evolved quite differently. Metasploit-Javapayload: - One monolithic stager class - Support to drop exe from the stager JAR - No dynamic bytecode generation at all - Stager protocols limited to what Metasploit supports - Android support - Java Meterpreter - No stages except Meterpreter and Shell - No handler code (the stages communicate with Metasploit instead) or .jar/.war generation code - Modern build environment using Maven and Travis, with unit tests and some "Vanilla" JavaPayload: - Modular stager classes (one for each protocol) - Stagers via TCP, UDP, HTTP, or tunneled via JDWP/RMI/HTTP (depending on exploit) - More than a dozen different stages, but mostly not more features than Meterpreter has - Embed stage into stager so that the protocol is "telnet compatible" - Password protection of stagers - Stage menu (more than one stage embedded w/ a menu to choose from) - Dynamic shellcode loading w/o touching disk (unfortunately not updated for Java 7 or 8 yet...) - Optional AES encryption for all communication - Inject code into other Java processes running as same user, via inject API. - Several generatable payload formats (some of which are also available in Metasploit), like OpenOffice Macro, Signed Applet, single Class, JAR, WAR, EAR, ... - Proxy module to connect different stager protocols (mostly so that you can use Metasploit's java/meterpreter/reverse_tcp with a stager via some other protocol) - Escalation code to bypass laxly configured security managers (especially helpful for servlet containers) - Uses "classic" ANT build script; some system/integration tests, but no unit tests at all - A bunch of exploits, of which most are in Metasploit too (JDWP came quite recently) - and numerous other things I forgot. I don't think it is feasible (or even useful) to try to merge these two code bases, but if anyone else volunteers, feel free to do so :) So probably easier to rip out what you can need (just like you do with Mimikatz for example). I tried myself to port some of the more useful things over to Metasploit (last thing I tried was war_bind_http stager), but you know yourself that it can be frustrating to get anything except a basic new module landed...
It looks like between yourself, @timwr, and @todb,
don't forget egypt :)
we should get a handle on where metasploit-javapayload is relative to your repository, scope out the work to implement this, and find some volunteers (count me if needed) to actually go make the changes.
Good luck :) Regards, Michael _______________________________________________ https://dev.metasploit.com/mailman/listinfo/framework
Current thread:
- Bypassing AV for Java payloads Pedro Ribeiro (Aug 01)
- Re: Bypassing AV for Java payloads HD Moore (Aug 01)
- Re: Bypassing AV for Java payloads Michael Schierl (Aug 02)
- Re: Bypassing AV for Java payloads HD Moore (Aug 02)
- Re: Bypassing AV for Java payloads Michael Schierl (Aug 02)
- Re: Bypassing AV for Java payloads Michael Schierl (Aug 02)
- Re: Bypassing AV for Java payloads HD Moore (Aug 01)