Re: Bypassing AV for Java payloads

[Michael Schierl <schierlm () gmx de>]

Am 02.08.2014 um 21:44 schrieb HD Moore:

> It looks like framework uses the metasploit-javapayload repository,
> which has support for Android, but may be missing some of the code
> written between 10-12 months ago in your repository.

In fact, the two repos forked somewhen in 2010 off JavaPayload-1.0.zip,
even before the point where I put it into the SVN repo that was later
converted to my Git repo (Yes, all the time from JavaPayload 1.0 to 1.1,
there did not exist any source control repo at all, primarily because I
thought it won't get that big).

And the code base evolved quite differently.

Metasploit-Javapayload:
- One monolithic stager class
- Support to drop exe from the stager JAR
- No dynamic bytecode generation at all
- Stager protocols limited to what Metasploit supports
- Android support
- Java Meterpreter
- No stages except Meterpreter and Shell
- No handler code (the stages communicate with Metasploit instead) or
  .jar/.war generation code
- Modern build environment using Maven and Travis, with unit tests and
  some

"Vanilla" JavaPayload:
- Modular stager classes (one for each protocol)
- Stagers via TCP, UDP, HTTP, or tunneled via JDWP/RMI/HTTP (depending
  on exploit)
- More than a dozen different stages, but mostly not more features than
  Meterpreter has
- Embed stage into stager so that the protocol is "telnet compatible"
- Password protection of stagers
- Stage menu (more than one stage embedded w/ a menu to choose from)
- Dynamic shellcode loading w/o touching disk (unfortunately not
  updated for Java 7 or 8 yet...)
- Optional AES encryption for all communication
- Inject code into other Java processes running as same user, via
  inject API.
- Several generatable payload formats (some of which are also available
  in Metasploit), like OpenOffice Macro, Signed Applet, single Class,
  JAR, WAR, EAR, ...
- Proxy module to connect different stager protocols (mostly so that
  you can use Metasploit's java/meterpreter/reverse_tcp with a stager
  via some other protocol)
- Escalation code to bypass laxly configured security managers
  (especially helpful for servlet containers)
- Uses "classic" ANT build script; some system/integration tests, but
  no unit tests at all
- A bunch of exploits, of which most are in Metasploit too (JDWP came
  quite recently)
- and numerous other things I forgot.

I don't think it is feasible (or even useful) to try to merge these two
code bases, but if anyone else volunteers, feel free to do so :)

So probably easier to rip out what you can need (just like you do with
Mimikatz for example).

I tried myself to port some of the more useful things over to Metasploit
(last thing I tried was war_bind_http stager), but you know yourself
that it can be frustrating to get anything except a basic new module
landed...

> It looks like between yourself, @timwr, and @todb, 

don't forget egypt :)

> we should get a
> handle on where metasploit-javapayload is relative to your
> repository, scope out the work to implement this, and find some
> volunteers (count me if needed) to actually go make the changes.

Good luck :)


Regards,


Michael
_______________________________________________
https://dev.metasploit.com/mailman/listinfo/framework