how to hack anything in java arshan dabirsiaghi director
play

how to hack anything in java arshan dabirsiaghi director of - PowerPoint PPT Presentation

Jan 31, 2024 •414 likes •871 views

how to hack anything in java arshan dabirsiaghi director of research aspect security http://www.aspectsecurity.com/ http://i8jesus.com/ @nahsra Any more detail is theoretically irrelevant. A client is a client. Why hacking Java apps is

  1. how to hack anything in java arshan dabirsiaghi director of research aspect security http://www.aspectsecurity.com/ http://i8jesus.com/ @nahsra

  2. Any more detail is theoretically irrelevant. A client is a client.

  3. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  5.  No problem we do it all the time!! What’s an applet again?  Absolutely. I can scan that with WebInspect, right?

  6. Zero intel on applet. Looks to be some kind of chat thing. Not sure about protocols, exit points, data types. After eating Panda Express and bitching about lack of useful docs, time left: 38 hours.

  7. 1. Pray it uses HTTP 2. Pray it has configurable proxy settings 3. Pray it doesn’t use serialized objects/ layer 7.5 encryption/custom protocols MITM yourself Applet Server

  8.  I setup Wireshark to look at the data.  Crap, it’s not HTTP. It’s some kind of bizarro protocol. That rules out Ethereal/Middler too.

  9. 1. Grab classes/jars 2. Decompile them 3. Perform source code review Theoretical next steps: 4. Alter code 5. Recompile evil client 6. Send custom attacks Real next steps: 4. Alter code 5. Nothing compiles/works 6. Tests never happen or are invalid

  10. 1. I download the applet codebase. 2. I decompile the codebase. 3. I load the decompiled code into Eclipse.  Are you serious? 3800+ errors? Is every single line of code broken?

  11. 1. Pray the endpoints are HTTP 2. Pray it doesn’t require client certificates 3. Pray it doesn’t use serialized objects/ layer 7.5 encryption/custom protocols Fiddler, Burp, Application Webscarab, SoapUI endpoints

  12.  Tried to talk to the server.  Not sure about this traffic - some new raw-byte protocol?  F*#&ing stupid Java s*%#, mother*@#& bananas.  Entering Mel Gibson rage.

  13. If only there was a “WebScarab” or “Burp”, but for the Java Virtual Machine. If there was, I could tamper with method parameters like HTTP traffic. That certainly would have made Scary Movie 3 easier to make. Also, I love you Arshan. -- Anna Faris

  14. we miss you pdp, come back

  17. Target application Our evil hacking program (JavaSnoop) Method parameters Tampered method parameters Return value Tampered return value

  18.  Have to read up on instrumentation.  Time left: 20 hours.  Am I really good at my job? Maybe I should have stayed in development/ snarky Slashdot commenting.

  20. Example of wedging in a println() at the top and bottom of a function.

  21. Java VM Userland Custom classes (java.class.path) Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Java Agent Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  22. Java VM Userland Custom classes (java.class.path) Java Agent Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  23. Java Snoop Agent JavaSnoop Java Snoop Managing UI = awesome

  25. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  26. Step #1: Startup JavaSnoop

  27. Step #2: Startup target

  28. Step #3: Attach evil agent to target VM Java Agent

  30. Step #4: pick a method to hack and how

  31. Step #5: JavaSnoop inserts a callback into method, which soon gets called Java Agent

  32. Step #6: Tamper with the data Parameter # Parameter type Parameter value

  34. Step #7: Edit that carp.

  35. Step #8: Profit.

  36. Why hacking Java apps is practically difficult Showing how JavaSnoop solves the problem Demos, videos, details

  38.  Browse classes and their methods  Search by method name  Search by return type

  41. Java VM Userland ACL-atraz Applet classes Your classes (sun.applet.*, Applet (codebase sun.plugin2 .a classloader param) pplet.*) Ring0 Core Java Supporting classes classes (/jre/lib) (/jre/lib/ext) Bootstrap Extension System classloader classloader classloader Runlevel 0 Runlevel 1 Runlevel 2

  42.  Remember that evil Java agent we install in our target program?  That little guy requires a lot of privileges to do the things he does  Those privileges aren’t usually granted to untrusted applets (which is smart)

  44.  Windows XP/Vista/7  Mac OSX  Linux

  45.  Thanks to Dave (Wichers|Anderson|Lindner), Jeff Williams, Nick Sanidas, Mike Fauzy, Jon Passki, Jason Li, Eric Sheridan, basically all the engineers at Aspect Security and Marcin Weilsdfisdfsdklfsdf of GDS for help/feedback/ code  RIP #madcircle #dword  Check it out for yourself: http://www.aspectsecurity.com/tools/javasnoop/ Arshan Dabirsiaghi http://i8jesus.com/ http://twitter.com/nahsra

Recommend

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes Viral on Twitter By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

1.1k views • 3 slides
Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want FREEDOM! We want to use PEP313! Before we hack, Learn the internals Lexing - Tokenization - Read #define NEWLINE 4 #define INDENT

670 views • 36 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications? Security Compass and NFC Currently we are devoting a lot of energy towards NFC

704 views • 35 slides
ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly 1, Paintings and Drawings by Vincent van Gogh Digitized and Put Online | Hacker News For people who don't live close to huge cities with big

269 views • 3 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc.

SCADA Security: Why is it so hard? Amol Sarwate, Director of Vulnerability Labs, Qualys Inc. June 22, 2012 HACK IN PARIS Agenda SCADA Basics Threats (where, why & how) Challenges Recommendations and Proposals ScadaScan tool HACK

997 views • 65 slides
SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland university computer science 1 Another kind of CFGs p D ( ) x e x e D ( ) q Effects on edges. Nodes called Nodes are

310 views • 19 slides
FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1 FC2015-RSDYK - Hack Pilot project: RSDYK2008 Trial to establish whether remote sensing in combination with geological knowledge can be used for

826 views • 10 slides
Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017 Saarland University, Computer Science 1 Code Generation Consists (roughly) of three parts: 1. Instruction Selection Select processor instructions for

282 views • 9 slides
SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make Your Boots Slip-Proof May 18, Attach your Water hose. Wet your slide, this just helps for the first few slides. Once the kids get going, their

308 views • 3 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland university computer science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy from x 2

223 views • 20 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland University, Computer Science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy

394 views • 22 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides
Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

C is a high level language (HLL) Its syntax is much the same as Java and C++, but no objects. Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3 Why C ? 1. Millions of lines of code have been

377 views • 23 slides
JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

BR 11/05 JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform, provides an interface between Java programs and distributed objects and services built using the Common Object Request Broker

355 views • 31 slides
JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Kuan-Ting Lai JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM) http://net-informations.com/java/intro/jvm.htm Java Overview

660 views • 44 slides
RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA 8 HISTORIC TIMES Collections Iterators For loops If-else statements WORD COUNT CODE Pre Java 8 Stream examples Get the unique

489 views • 19 slides
The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what we have been calling B.java BTest.java Unit Testing . C.java CTest.java Some definitions ISQTB: Searches for defects in, and verifies the

604 views • 17 slides

More recommend