Presentation is loading. Please wait.

Presentation is loading. Please wait.

JavaSnoop how to hack anything in java arshan dabirsiaghi

Published byRebekah Wickware Modified over 9 years ago

Similar presentations

Presentation on theme: "JavaSnoop how to hack anything in java arshan dabirsiaghi"— Presentation transcript:

1 JavaSnoop how to hack anything in java arshan dabirsiaghi
director of research aspect security @nahsra

2 Any more detail is theoretically irrelevant. A client is a client.

3 Agenda Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem Demos, videos, details

4

5 Hey, Security Company X. I want you to test the security of this important applet. Can you do it in 40 hours? No problem we do it all the time!! What’s an applet again? Absolutely. I can scan that with WebInspect, right?

6 Zero intel on applet. Looks to be some kind of chat thing. Not sure about protocols, exit points, data types. After eating Panda Express and bitching about lack of useful docs, time left: 38 hours.

7 Option #1 (hack the traffic)
Pray it uses HTTP Pray it has configurable proxy settings Pray it doesn’t use serialized objects/layer 7.5 encryption/custom protocols MITM yourself Applet Server

8 I setup Wireshark to look at the data.
Crap, it’s not HTTP. It’s some kind of bizarro protocol. That rules out Ethereal/Middler too. What am I even looking at? Never mind, this clearly didn’t work. Time left: 35 hours.

9 Option #2 (hack the client)
Grab classes/jars Decompile them Perform source code review Theoretical next steps: 4. Alter code 5. Recompile evil client 6. Send custom attacks Real next steps: 4. Alter code 5. Nothing compiles/works 6. Tests never happen or are invalid

10 I don’t have that kind of time. Time left: 31 hours.
I download the applet codebase. I decompile the codebase. I load the decompiled code into Eclipse. Are you serious? errors? Is every single line of code broken? I don’t have that kind of time. Time left: 31 hours.

11 Option #3 (hack the server)
Pray the endpoints are HTTP Pray it doesn’t require client certificates Pray it doesn’t use serialized objects/layer 7.5 encryption/custom protocols Fiddler, Burp, Webscarab, SoapUI Application endpoints

12 I need some “me” time. Time left: 27 hours.
Tried to talk to the server. Not sure about this traffic - some new raw-byte protocol? F*#&ing stupid Java s*%#, bananas. Entering Mel Gibson rage. I need some “me” time. Time left: 27 hours.

13 We need some inspiration. Anna?
If only there was a “WebScarab” or “Burp”, but for the Java Virtual Machine. If there was, I could tamper with method parameters like HTTP traffic. That certainly would have made Scary Movie 3 easier to make. Also, I love you Arshan. -- Anna Faris

14 something we could do with
That sounds like something we could do with instrumentation. we miss you pdp, come back

15 What is instrumentation?

16 How would instrumentation help?

17 Our evil hacking program (JavaSnoop)
Target application Our evil hacking program (JavaSnoop) Method parameters Tampered method parameters Return value Then you can imagine Tampered return value

18 Number of flaws found: zero.
Have to read up on instrumentation. Time left: 20 hours. Am I really good at my job? Maybe I should have stayed in development/snarky Slashdot commenting. Number of flaws found: zero.

19 To redefine a class we need the actual raw bytecode
To redefine a class we need the actual raw bytecode. I tried putting in: alert(document.cookie) …but it didn’t work.

20 reJ http://rejava.sourceforge.net
Example of wedging in a println() at the top and bottom of a function.

21 Dailydaver’s guide to Java VM
Userland Custom classes (java.class.path) Ring0 Core Java classes (/jre/lib) Supporting classes (/jre/lib/ext) Java Agent Bootstrap classloader Extension classloader System classloader Runlevel 0 Runlevel 1 Runlevel 2

22 Dailydaver’s guide to Java VM
Userland Custom classes (java.class.path) Java Agent Ring0 Core Java classes (/jre/lib) Supporting classes (/jre/lib/ext) Bootstrap classloader Extension classloader System classloader Runlevel 0 Runlevel 1 Runlevel 2

23 Java Snoop Agent Java Snoop Managing UI JavaSnoop = awesome

24 Time left: 12 hours. It’s Thursday. THERE’S NOT ENOUGH TIME

25 Agenda Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem Demos, videos, details

26 Step #1: Startup JavaSnoop
Okay, I can do that.

27 Okay, that’s easy too. Can I call myself a hacker now?
Step #2: Startup target Okay, that’s easy too. Can I call myself a hacker now?

28 Hurry up, only 8 hours left.
Step #3: Attach evil agent to target VM Java Agent Hurry up, only 8 hours left.

29 Aside: how do I know which Java process to target?

30 Let’s check “Tamper with parameters”. Clock is ticking.
Step #4: pick a method to hack and how Let’s check “Tamper with parameters”. Clock is ticking.

31 Can I start name dropping yet? Better yet, will you name drop me?
Step #5: JavaSnoop inserts a callback into method, which soon gets called Java Agent Can I start name dropping yet? Better yet, will you name drop me?

32 Step #6: Tamper with the data
Parameter # Parameter type Parameter value

33 Aside: JavaSnoop has custom views for editing Lists, Maps, Java primitives, arrays, byte arrays, and even custom objects

34 Step #7: Edit that carp. I’ll change that byte that contains my user ID, and hopefully the chat message will look like it came from Alice!

35 Step #8: Profit. You spoofed the message. A serious flaw. Time left: 2 hours. That was close.

36 Agenda Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem Demos, videos, details

37 demo

38 Aside: How do I know which method to hook? Answer #1
Browse classes and their methods Search by method name Search by return type

39 Aside: How do I know which method to hook? Answer #2

40 Aside: How do I know which method to hook? Answer #3

41 Dailydaver’s guide to applets
Java VM Userland ACL-atraz Applet classes (sun.applet.*, sun.plugin2 .applet.*) Applet classloader Your classes (codebase param) Ring0 Core Java classes (/jre/lib) Supporting classes (/jre/lib/ext) Bootstrap classloader Extension classloader System classloader Runlevel 0 Runlevel 1 Runlevel 2

42 How come JavaSnoop turns off Java security when it runs?
Remember that evil Java agent we install in our target program? That little guy requires a lot of privileges to do the things he does Those privileges aren’t usually granted to untrusted applets (which is smart)

43 JavaSnoop doesn’t create new vulnerabilities.
It just makes finding and exploiting flaws in Java apps possible. And practical.

44 Supported Operating Systems
Windows XP/Vista/7 Mac OSX Linux

45 That’s all. Thanks to Dave (Wichers|Anderson|Lindner), Jeff Williams, Nick Sanidas, Mike Fauzy, Jon Passki, Jason Li, Eric Sheridan, basically all the engineers at Aspect Security and Marcin Weilsdfisdfsdklfsdf of GDS for help/feedback/code RIP #madcircle #dword Check it out for yourself: Arshan Dabirsiaghi

Download ppt "JavaSnoop how to hack anything in java arshan dabirsiaghi"

Similar presentations

Using T4Eclipse tool to Analyze Eclipse UI For t4eclipse version 1.2.1 Ben Xu July 17,2010.

Using T4Eclipse tool to Analyze Eclipse UI For t4eclipse version Ben Xu July 17,2010.
Mike Scott University of Texas at Austin

Mike Scott University of Texas at Austin
Unified Communications (UC) Quick Reference Guide USING YOUR UC CLIENT This guide is designed to provide you with a quick overview of the Unified Communications.

Unified Communications (UC) Quick Reference Guide USING YOUR UC CLIENT This guide is designed to provide you with a quick overview of the Unified Communications.
WEB SERVICES. FIRST AND FOREMOST - LINKS Tomcat 6.0 - AXIS2 -

WEB SERVICES. FIRST AND FOREMOST - LINKS Tomcat AXIS2 -
RollCall is a feature recently added to ControlSoft It allows you to have groups of devices checked periodically to see if they are working. The results.

RollCall is a feature recently added to ControlSoft It allows you to have groups of devices checked periodically to see if they are working. The results.
ACT! “Web” Plugins ACC Webinar (Part 1of 2) Brian Mowka and Jamie Aurand December 2010.

ACT! “Web” Plugins ACC Webinar (Part 1of 2) Brian Mowka and Jamie Aurand December 2010.
Thomas A. Stewart Literacy Test (OSSLT) Prep Guide 2013

Thomas A. Stewart Literacy Test (OSSLT) Prep Guide 2013
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Step 1 Goal Setting.

Step 1 Goal Setting.
E-Mail Try to be a good e-mailer AND NOT A PEST!! Use the left mouse button to advance through the slides.

Try to be a good er AND NOT A PEST!! Use the left mouse button to advance through the slides.
Introducing Extensive Reading

Introducing Extensive Reading
1 How Do I Order From.decimal? Rev 05/04/09 This instructional training document may be updated at anytime. Please visit www.dotdecimal.com and check the.

1 How Do I Order From.decimal? Rev 05/04/09 This instructional training document may be updated at anytime. Please visit and check the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!

SO YOU WANT TO BE A HACKER? Maybe not yet, but you will at the end of the hour!
A Teenager’s Guide To Asexuality Am I Ace?. Am I Asexual? You’re not into sex the way other people are. You’re not sure you really get what people mean.

A Teenager’s Guide To Asexuality Am I Ace?. Am I Asexual? You’re not into sex the way other people are. You’re not sure you really get what people mean.
Don’t be bullied, or be a bully.

Don’t be bullied, or be a bully.
Getting Git to work with Eclipse: The least fun thing you’ll ever do By Orren Saltzman.

Getting Git to work with Eclipse: The least fun thing you’ll ever do By Orren Saltzman.
Hello, Pig! Hello, Rabbit! Look at this – I am making a list!

Hello, Pig! Hello, Rabbit! Look at this – I am making a list!
ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.

ECEU300 Ethics in the Workplace Why talk about Ethics? Everyone is ethical, everyone knows how to behave at work. Everyone gets it about not stealing stuff.
Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”

Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”

Similar presentations

Ads by Google