how to hack anything in java arshan dabirsiaghi director
play

how to hack anything in java arshan dabirsiaghi director of - PowerPoint PPT Presentation

Jan 31, 2024 •414 likes •871 views

how to hack anything in java arshan dabirsiaghi director of research aspect security http://www.aspectsecurity.com/ http://i8jesus.com/ @nahsra Any more detail is theoretically irrelevant. A client is a client. Why hacking Java apps is

  1. how to hack anything in java arshan dabirsiaghi director of research aspect security http://www.aspectsecurity.com/ http://i8jesus.com/ @nahsra

  2. Any more detail is theoretically irrelevant. A client is a client.

  3. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  5.  No problem we do it all the time!! What’s an applet again?  Absolutely. I can scan that with WebInspect, right?

  6. Zero intel on applet. Looks to be some kind of chat thing. Not sure about protocols, exit points, data types. After eating Panda Express and bitching about lack of useful docs, time left: 38 hours.

  7. 1. Pray it uses HTTP 2. Pray it has configurable proxy settings 3. Pray it doesn’t use serialized objects/ layer 7.5 encryption/custom protocols MITM yourself Applet Server

  8.  I setup Wireshark to look at the data.  Crap, it’s not HTTP. It’s some kind of bizarro protocol. That rules out Ethereal/Middler too.

  9. 1. Grab classes/jars 2. Decompile them 3. Perform source code review Theoretical next steps: 4. Alter code 5. Recompile evil client 6. Send custom attacks Real next steps: 4. Alter code 5. Nothing compiles/works 6. Tests never happen or are invalid

  10. 1. I download the applet codebase. 2. I decompile the codebase. 3. I load the decompiled code into Eclipse.  Are you serious? 3800+ errors? Is every single line of code broken?

  11. 1. Pray the endpoints are HTTP 2. Pray it doesn’t require client certificates 3. Pray it doesn’t use serialized objects/ layer 7.5 encryption/custom protocols Fiddler, Burp, Application Webscarab, SoapUI endpoints

  12.  Tried to talk to the server.  Not sure about this traffic - some new raw-byte protocol?  F*#&ing stupid Java s*%#, mother*@#& bananas.  Entering Mel Gibson rage.

  13. If only there was a “WebScarab” or “Burp”, but for the Java Virtual Machine. If there was, I could tamper with method parameters like HTTP traffic. That certainly would have made Scary Movie 3 easier to make. Also, I love you Arshan. -- Anna Faris

  14. we miss you pdp, come back

  17. Target application Our evil hacking program (JavaSnoop) Method parameters Tampered method parameters Return value Tampered return value

  18.  Have to read up on instrumentation.  Time left: 20 hours.  Am I really good at my job? Maybe I should have stayed in development/ snarky Slashdot commenting.

  20. Example of wedging in a println() at the top and bottom of a function.

  21. Java VM Userland Custom classes (java.class.path) Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Java Agent Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  22. Java VM Userland Custom classes (java.class.path) Java Agent Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  23. Java Snoop Agent JavaSnoop Java Snoop Managing UI = awesome

  25. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  26. Step #1: Startup JavaSnoop

  27. Step #2: Startup target

  28. Step #3: Attach evil agent to target VM Java Agent

  30. Step #4: pick a method to hack and how

  31. Step #5: JavaSnoop inserts a callback into method, which soon gets called Java Agent

  32. Step #6: Tamper with the data Parameter # Parameter type Parameter value

  34. Step #7: Edit that carp.

  35. Step #8: Profit.

  36. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  38.  Browse classes and their methods  Search by method name  Search by return type

  41. Java VM Userland ACL-atraz Applet classes Your classes (sun.applet.*, Applet (codebase sun.plugin2 .a classloader param) pplet.*) Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  42.  Remember that evil Java agent we install in our target program?  That little guy requires a lot of privileges to do the things he does  Those privileges aren’t usually granted to untrusted applets (which is smart)

  44.  Windows XP/Vista/7  Mac OSX  Linux

  45.  Thanks to Dave (Wichers|Anderson|Lindner), Jeff Williams, Nick Sanidas, Mike Fauzy, Jon Passki, Jason Li, Eric Sheridan, basically all the engineers at Aspect Security and Marcin Weilsdfisdfsdklfsdf of GDS for help/feedback/ code  RIP #madcircle #dword  Check it out for yourself: http://www.aspectsecurity.com/tools/javasnoop/ Arshan Dabirsiaghi http://i8jesus.com/ http://twitter.com/nahsra

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes Viral on Twitter By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

1.1k views • 3 slides
Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want FREEDOM! We want to use PEP313! Before we hack, Learn the internals Lexing - Tokenization - Read #define NEWLINE 4 #define INDENT

670 views • 36 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications? Security Compass and NFC Currently we are devoting a lot of energy towards NFC

704 views • 35 slides
ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly 1, Paintings and Drawings by Vincent van Gogh Digitized and Put Online | Hacker News For people who don't live close to huge cities with big

269 views • 3 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK

997 views • 65 slides
SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland university computer science 1 Another kind of CFGs p D ( ) x e x e D ( ) q Effects on edges. Nodes called Nodes are

310 views • 19 slides
FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1 FC2015-RSDYK - Hack Pilot project: RSDYK2008 Trial to establish whether remote sensing in combination with geological knowledge can be used for

826 views • 10 slides
Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017 Saarland University, Computer Science 1 Code Generation Consists (roughly) of three parts: 1. Instruction Selection Select processor instructions for

282 views • 9 slides
SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make Your Boots Slip-Proof May 18, Attach your Water hose. Wet your slide, this just helps for the first few slides. Once the kids get going, their

308 views • 3 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland university computer science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy from x 2

223 views • 20 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland University, Computer Science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy

394 views • 22 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
EAAI 17 Ethics Panel Ben Kuipers, Illah Nourbhaksh, Judy Goldsmith February 6, 2017 Ben

EAAI 17 Ethics Panel Ben Kuipers, Illah Nourbhaksh, Judy Goldsmith February 6, 2017 Ben

EAAI 17 Ethics Panel Ben Kuipers, Illah Nourbhaksh, Judy Goldsmith February 6, 2017 Ben Kuipers, Illah Nourbhaksh, Judy Goldsmith Ethics Panel February 6, 2017 1 / 8 Introduction to Judy Goldsmiths Section Descriptive vs.

403 views • 8 slides
Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About

Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About

Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About me Heiko Braun Senior Software Engineer JBoss / Red Hat 4 years JBoss, 12 years industry Focus on SOA, BPM, GWT Contributor:

489 views • 26 slides
Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About

Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About

Best practices for building large GWT applications Heiko Braun <hbraun@redhat.com> About me Heiko Braun Senior Software Engineer JBoss / Red Hat 4 years JBoss, 12 years industry Focus on SOA, BPM, GWT Contributor:

510 views • 31 slides
NIFA Reporting Web Conference October 11, 2018 Start Recording Adam Preuter Adam is

NIFA Reporting Web Conference October 11, 2018 Start Recording Adam Preuter Adam is

NIFA Reporting Web Conference October 11, 2018 Start Recording Adam Preuter Adam is the Business Manager for the REEport system. Adam supports the planning, development, coordination, and delivery of accountability and financial

530 views • 30 slides
Quaternionic geometry in 8 dimensions Simon Salamon Differential Geometry in the Large In honor

Quaternionic geometry in 8 dimensions Simon Salamon Differential Geometry in the Large In honor

Quaternionic geometry in 8 dimensions Simon Salamon Differential Geometry in the Large In honor of Wolfgang Meyer, Florence, 14 July 2016 Four categories of manifolds 1/20 . . . all equipped with an action of I , J , K on each tangent space T

330 views • 21 slides
The Category TOF Robin Cockett, Cole Comfort University of Calgary June 6, 2018 1/33

The Category TOF Robin Cockett, Cole Comfort University of Calgary June 6, 2018 1/33

Background The Category TOF TOF is a Discrete Inverse Category Generalized controlled-not Gates Completeness of TOF The Category TOF Robin Cockett, Cole Comfort University of Calgary June 6, 2018 1/33 Background The Category TOF TOF is a

775 views • 33 slides
A Hierarchical Design Methodology for Multibody Systems with Frictional Contacts Vijay Kumar

A Hierarchical Design Methodology for Multibody Systems with Frictional Contacts Vijay Kumar

A Hierarchical Design Methodology for Multibody Systems with Frictional Contacts Vijay Kumar GRASP Lab Mechanical Engineering and Applied Mechanics Computer and Information Science University of Pennsylvania Joint work with Bharath

387 views • 37 slides
How false is the Hirsch Conjecture? Francisco Santos http://personales.unican.es/santosf

How false is the Hirsch Conjecture? Francisco Santos http://personales.unican.es/santosf

The counter-example(s) Asymptotic diameter Simplicial complexes Connected layer families How false is the Hirsch Conjecture? Francisco Santos http://personales.unican.es/santosf Departamento de Matemticas, Estadstica y Computacin

1.84k views • 149 slides

More recommend