MSFVenom
From charlesreid1
Can be used to craft payloads like remote tcp shells.
See this tool in action: Metasploitable/Apache/DAV
Creating Payloads
Tomcat
To create a WAR file that woudl give a reverse shell, I used msfvenom to generate the payload.
Started by listing all the different payloads available, so I could look for java-related payloads:
root@morpheus:~/box/besside# msfvenom -l payloads
Framework Payloads (437 total)
==============================
Name Description
---- -----------
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell