Burp extension persistence #19821
Burp extension persistence #19821
Conversation
| ], | ||
| 'DefaultOptions' => { | ||
| # 25hrs, you know, just in case the user doesn't open Burp for a while | ||
| 'WfsDelay' => 90_000, |
There was a problem hiding this comment.
I think 25*60*60 would be a tad clearer
There was a problem hiding this comment.
can/will be addressed in the persistence PR
| malicious_extension = { | ||
| 'errors' => 'ui', | ||
| 'extension_file' => extension_location, | ||
| 'extension_type' => 'java', | ||
| 'loaded' => true, | ||
| 'name' => extension_name, | ||
| 'output' => 'ui' |
There was a problem hiding this comment.
Can't the errors and the output be explicitly set to ignore/null/… to ensure that weird logs won't show up in Burp?
There was a problem hiding this comment.
The options are "Output to system console", "Save to file", and "Show in UI". I selected "Show in UI" as I've added text to be displayed to the user to make it seem like all is well.
Right now if you use a Java payload it outputs more with XXX stuff, once we decide how to either fix the Java payload implementation, or remove it, I'll clean that up.
|
|
||
| return cmd_exec('cmd.exe /c echo %USERNAME%').strip if ['windows', 'win'].include? session.platform | ||
|
|
||
| whoami |
There was a problem hiding this comment.
Instead of implementing this to obtain the username, why not just expand the HOME environment variable for the specific platform? That would have a few advantages including not running whoami on linux, and allowing the rest of the code to work when the user running burp is a service account. IIRC Burp can be run in a headless mode as part of a CI/CD pipeline in which case the operating account may not be a normal user with their home directory under /home.
| # stolen from exploit/multi/handler | ||
| stime = Time.now.to_f | ||
| timeout = datastore['ListenerTimeout'].to_i | ||
| loop do | ||
| break if timeout > 0 && (stime + timeout < Time.now.to_f) | ||
|
|
||
| Rex::ThreadSafe.sleep(1) | ||
| end | ||
|
|
||
| # config files must be applied, and on boot doesn't seem to work | ||
| # /usr/lib/jvm/java-23-openjdk-amd64/bin/java -jar -Xmx4g -Djava.awt.headless=true /usr/share/burpsuite/burpsuite.jar burp.StartBurp --user-config-file=/tmp/burp.json & |
There was a problem hiding this comment.
We should look to configure this module to run passively in the background so it's not just sleeping for 25 hours.
There was a problem hiding this comment.
This is partially a chicken and egg problem. The past persistence modules I've written have all been:
'Stance' => Msf::Exploit::Stance::Passive,
'Passive' => true,
with 'WfsDelay' => 90_000,.
However, this will need to be synced with #19815 . Which will standardize a lot of this. Would prefer to leave it as is for consistence, then pick it up in the follow-up PR.
This PR creates a new persistence mechanism via Burp extension. Install the extension in burp and it gives you back a shell every burp start. Tested against windows and linux targets. You can either compile the java on your system (build action via gradle) or use the bytecode (precompiled). Instructions for creating the bytecode independently are included in the
data/exploits/burp_extensionfolder.#19592 persistence
Will need to be updated after #19815
Issues
Issue 1: Automating Install (not a blocker)
Currently installing the extension is manual due to several issues. As per my conversation with PortSwigger there are several candidates for automating the install which all fail:
PortSwigger said they haven't tested this, but will add it to their feature request list.
As a workaround, if the user specifies a user config file, it will be poisoned with our malicious burp extension.
Issue 2: Java Target
When attempting to use the Java target with a payload that seems right (
payload/java/shell/reverse_tcp,payload/java/meterpreter/reverse_tcp) the following error is encountered:No idea why. Either I can cut this target and shrink the java extension, or hopefully someone knows why this is happening
Verification
writableDir