java shellcode execution
DESCRIPTION
TRANSCRIPT
JAVA
EXECUTION
SH3LL C0DE
Me
Ryan Wincey
-Security Researcher-Coder-Penetration Tester
Me
WHY JAVA
WHY JAVA
WHY JAVA•CROSS-
PLATFORM
WHY JAVA•CROSS-
PLATFORM•EXTENSIVE LIBRARY
WHY JAVA•CROSS-
PLATFORM•EXTENSIVE LIBRARY•WIDELY
DEPLOYED
PROBLEM:
PROBLEM:
HOW CAN I RUN SHELLCODE FROM
JAVA?
#NOPSchar shellcode[] = "\x90\x90\x90\x90” int main(int argc, char **argv){
int (*f)(); f = (int (*)())shellcode; (int)(*f)();}
http://blog.strategiccyber.com/2013/08/29/how-to-inject-shellcode-from-java/
https://github.com/schierlm/JavaPayload.
package javapayload.stage;/** Running shellcode from Java without JNI (i. e. loading a DLL from disk).(c) 2011 Michael Schierl <schierlm at gmx dot de> (Twitter @mihi42)
* This version has been tested on:* * Oracle 1.4.2_11 Win32 (-client, -server)* Oracle 1.5.0_06 Win32 (-client, -server) * Oracle 1.6.0_19 Win32 (-client, -server)* Oracle 1.7.0_01 Win32 (-client, -server)* * Oracle 1.6.0_26 Linux32 (-client, -server)* Oracle 1.7.0_01 Linux32 (-client, -server)
http://www.research.ibm.com/trl/projects/jit/index_e.htm
DEMO
//=========================================================================== /** * Java method that gets overwritten by shellcode * The native method pointer is then overwritten with a * pointer to this method */ private static void jitme() { executed = true;
// On x86: each volatile inc/dec needs 18 bytes, // all 320 of them need 5760 bytes, // whole JIT method needs 5842 bytes. // if you need more shellcode, make a longer method v1++; v2++; v3++; v4++; v5++; v1++; v2++; v3++; v4++; v5--; v1++; v2++; v3++; v4--; v5++; v1++; v2++; v3++; v4--; v5--; v1++; v2++; v3--; v4++; v5++; v1++; v2++; v3--; v4++; v5--; v1++; v2++; v3--; v4--; v5++; v1++; v2++; v3--; v4--; v5--; v1++; v2--; v3++; v4++; v5++; v1++; v2--; v3++; v4++; v5--; v1++; v2--; v3++; v4--; v5++; v1++; v2--; v3++; v4--; v5--; v1++; v2--; v3--; v4++; v5++; v1++; v2--; v3--; v4++; v5--; v1++; v2--; v3--; v4--; v5++; v1++; v2--; v3--; v4--; v5--; executed = true;
DEMO2
Questions?
Ryan Wincey @rwincey [email protected]
https://github.com/rwincey
Contacts
Michael Schierl @mihi42https://github.com/schierlm/
JavaPayload