SHOW:
|
|
- or go back to the newest paste.
| 1 | - | msf auxiliary(meterp_compare) > rerun |
| 1 | + | Some more commands to add to Java Meterpreter |
| 2 | - | [*] Reloading module... |
| 2 | + | |
| 3 | meterp_compare module is at: https://github.com/schierlm/metasploit-framework/blob/0898309db9f0d8e05850e3e37b71119ae64864d9/unstable-modules/auxiliary/meterp_compare.rb | |
| 4 | - | [+] Scanning sessions: |
| 4 | + | |
| 5 | - | [*] 1 | java/java | {"Computer"=>"MICHAEL", "OS"=>"Windows 7 6.1 (amd64)", "Architecture"=>nil, "System Language"=>nil}
|
| 5 | + | meterp_compare output is at: http://pastebin.com/gYDJwFeQ |
| 6 | - | [*] 4 | php/php | {"Computer"=>"MICHAEL", "OS"=>"Windows NT MICHAEL 6.1 build 7601 (Windows 7 Business Edition Service Pack 1) i586", "Architecture"=>nil, "System Language"=>nil}
|
| 6 | + | |
| 7 | - | [*] 5 | python/python | {"Computer"=>"MICHAEL", "OS"=>"CYGWIN_NT-6.1 1.7.25(0.270/5/3) 2013-08-31 20:37", "Architecture"=>"x86_64", "System Language"=>nil}
|
| 7 | + | "Architecture" |
| 8 | - | [*] 6 | x86/win32 | {"Computer"=>"MICHAEL", "OS"=>"Windows 7 (Build 7601, Service Pack 1).", "Architecture"=>"x64 (Current Process is WOW64)", "System Language"=>"de_DE"}
|
| 8 | + | -> System.getProperty("os.arch")
|
| 9 | - | [+] Supported command groups: |
| 9 | + | http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getProperty(java.lang.String) |
| 10 | - | [*] 1 | java/java | CD GH |
| 10 | + | @since 1.0 |
| 11 | - | [*] 4 | php/php | AB E H |
| 11 | + | |
| 12 | - | [*] 5 | python/python | A DEF H |
| 12 | + | "System Language" |
| 13 | - | [*] 6 | x86/win32 | B EFGHI |
| 13 | + | -> Easy, Locale.getDefault().toString() |
| 14 | - | [+] Commands in each group: |
| 14 | + | http://docs.oracle.com/javase/1.5.0/docs/api/java/util/Locale.html#getDefault() |
| 15 | - | [*] A | ["stdapi_fs_delete"] |
| 15 | + | http://docs.oracle.com/javase/1.5.0/docs/api/java/util/Locale.html#toString() |
| 16 | - | [*] B | ["stdapi_sys_process_kill"] |
| 16 | + | @since 1.0 |
| 17 | - | [*] C | ["channel_create_stdapi_net_tcp_server", "channel_create_stdapi_net_udp_client"] |
| 17 | + | |
| 18 | - | [*] D | ["channel_create_stdapi_fs_file", "channel_create_stdapi_net_tcp_client"] |
| 18 | + | stdapi_fs_delete |
| 19 | - | [*] E | ["stdapi_sys_config_getenv", "stdapi_sys_process_close", "stdapi_sys_process_getpid"] |
| 19 | + | -> File.delete() |
| 20 | - | [*] F | ["stdapi_fs_file_move", "stdapi_net_resolve_host", "stdapi_net_resolve_hosts"] |
| 20 | + | http://docs.oracle.com/javase/1.5.0/docs/api/java/io/File.html#delete() |
| 21 | - | [*] G | ["stdapi_net_config_get_interfaces", "stdapi_net_config_get_routes", "stdapi_ui_desktop_screenshot", "webcam_audio_record"] |
| 21 | + | @since 1.0 |
| 22 | - | [*] H | ["core_loadlib", "stdapi_fs_chdir", "stdapi_fs_delete_dir", "stdapi_fs_delete_file", "stdapi_fs_file_expand_path", "stdapi_fs_getwd", "stdapi_fs_ls", |
| 22 | + | |
| 23 | - | "stdapi_fs_mkdir", "stdapi_fs_md5", "stdapi_fs_search", "stdapi_fs_separator", "stdapi_fs_stat", "stdapi_fs_sha1", "stdapi_net_socket_tcp_shutdown", "stdapi_sys_config_getuid", "stdapi_sys_config_sysinfo", "stdapi_sys_process_execute", "stdapi_sys_process_get_processes"] |
| 23 | + | stdapi_sys_config_getenv |
| 24 | - | [*] I | ["webcam_stop", "webcam_get_frame", "webcam_start", "webcam_list", "stdapi_sys_power_exitwindows", "stdapi_sys_eventlog_close", "stdapi_sys_eventlog_clear", "stdapi_sys_eventlog_oldest", "stdapi_sys_eventlog_read", "stdapi_sys_eventlog_numrecords", "stdapi_sys_eventlog_open", "stdapi_ui_desktop_set", "stdapi_ui_desktop_get", "stdapi_ui_desktop_enum", "stdapi_ui_get_keys", "stdapi_ui_stop_keyscan", "stdapi_ui_start_keyscan", "stdapi_ui_get_idle_time", "stdapi_ui_enable_keyboard", "stdapi_ui_enable_mouse", "stdapi_net_config_get_proxy", "stdapi_net_config_get_netstat", "stdapi_net_config_get_arp_table", "stdapi_net_config_remove_route", "stdapi_net_config_add_route", "stdapi_sys_config_drop_token", "stdapi_sys_config_steal_token", "stdapi_sys_config_getprivs", "stdapi_sys_config_rev2self", "stdapi_registry_delete_value", "stdapi_registry_enum_value", "stdapi_registry_query_class", "stdapi_registry_query_value", "stdapi_registry_set_value", "stdapi_registry_close_key", "stdapi_registry_delete_key", "stdapi_registry_enum_key", "stdapi_registry_create_key", "stdapi_registry_open_remote_key", "stdapi_registry_open_key", "stdapi_registry_unload_key", "stdapi_registry_load_key", |
| 24 | + | -> System.getenv() |
| 25 | - | "stdapi_registry_check_key_exists", "stdapi_sys_process_thread_set_regs", "stdapi_sys_process_thread_query_regs", "stdapi_sys_process_thread_terminate", "stdapi_sys_process_thread_resume", "stdapi_sys_process_thread_suspend", "stdapi_sys_process_thread_get_threads", "stdapi_sys_process_thread_close", "stdapi_sys_process_thread_create", "stdapi_sys_process_thread_open", "stdapi_sys_process_memory_unlock", "stdapi_sys_process_memory_lock", "stdapi_sys_process_memory_protect", "stdapi_sys_process_memory_query", "stdapi_sys_process_memory_write", "stdapi_sys_process_memory_read", "stdapi_sys_process_memory_free", "stdapi_sys_process_memory_allocate", "stdapi_sys_process_image_get_images", "stdapi_sys_process_image_unload", "stdapi_sys_process_image_get_proc_address", "stdapi_sys_process_image_load", "stdapi_sys_process_wait", "stdapi_sys_process_get_info", "stdapi_sys_process_attach", "stdapi_railgun_memwrite", "stdapi_railgun_memread", "stdapi_railgun_api_multi", "stdapi_railgun_api", "core_channel_open"] |
| 25 | + | http://docs.oracle.com/javase/1.5.0/docs/api/java/lang/System.html#getenv() |
| 26 | - | [*] Auxiliary module execution completed |
| 26 | + | @since 1.5 |
| 27 | - | msf auxiliary(meterp_compare) > |
| 27 | + | Note that the version that takes a String was available before, but did not return system environment variables |
| 28 | A sensible fallback for Pre 1.5 JDK would be to return empty results or hack something up for %COMSPEC% (similar to expand_path) | |
| 29 | ||
| 30 | ||
| 31 | stdapi_fs_file_move | |
| 32 | -> File.renameTo() | |
| 33 | http://docs.oracle.com/javase/1.5.0/docs/api/java/io/File.html#renameTo(java.io.File) | |
| 34 | @since 1.0 | |
| 35 | Be aware that renameTo can fail due to platform specific reasons, so the proper fallback would be a copy loop | |
| 36 | ||
| 37 | stdapi_net_resolve_host | |
| 38 | stdapi_net_resolve_hosts | |
| 39 | InetAddress.getByName(...).getAddress() [or getHostAddress()] | |
| 40 | http://docs.oracle.com/javase/1.5.0/docs/api/java/net/InetAddress.html#getByName(java.lang.String) | |
| 41 | http://docs.oracle.com/javase/1.5.0/docs/api/java/net/InetAddress.html#getAddress() | |
| 42 | @since 1.0 | |
| 43 | ||
| 44 | stdapi_net_config_get_proxy | |
| 45 | -> possible if running inside an applet, but AFAIK not possible when spawned separately |
