java shellcode execution

Report

Post on 19-Nov-2014

884 Views

Category:

Technology

2 Downloads

Preview:

Click to see full reader

DESCRIPTION

 

TRANSCRIPT

JAVA

EXECUTION

SH3LL C0DE

Me

Ryan Wincey

-Security Researcher-Coder-Penetration Tester

Me

WHY JAVA

WHY JAVA

WHY JAVA•CROSS-

PLATFORM

WHY JAVA•CROSS-

PLATFORM•EXTENSIVE LIBRARY

WHY JAVA•CROSS-

PLATFORM•EXTENSIVE LIBRARY•WIDELY

DEPLOYED

PROBLEM:

PROBLEM:

HOW CAN I RUN SHELLCODE FROM

JAVA?

 #NOPSchar shellcode[] = "\x90\x90\x90\x90”   int main(int argc, char **argv){

int (*f)();        f = (int (*)())shellcode;        (int)(*f)();}

http://blog.strategiccyber.com/2013/08/29/how-to-inject-shellcode-from-java/

https://github.com/schierlm/JavaPayload. 

package javapayload.stage;/** Running shellcode from Java without JNI (i. e. loading a DLL from disk).(c) 2011 Michael Schierl <schierlm at gmx dot de> (Twitter @mihi42)

* This version has been tested on:* * Oracle 1.4.2_11 Win32 (-client, -server)* Oracle 1.5.0_06 Win32 (-client, -server) * Oracle 1.6.0_19 Win32 (-client, -server)* Oracle 1.7.0_01 Win32 (-client, -server)* * Oracle 1.6.0_26 Linux32 (-client, -server)* Oracle 1.7.0_01 Linux32 (-client, -server)

http://www.research.ibm.com/trl/projects/jit/index_e.htm

DEMO

//=========================================================================== /** * Java method that gets overwritten by shellcode * The native method pointer is then overwritten with a * pointer to this method */ private static void jitme() { executed = true;

// On x86: each volatile inc/dec needs 18 bytes, // all 320 of them need 5760 bytes, // whole JIT method needs 5842 bytes. // if you need more shellcode, make a longer method v1++; v2++; v3++; v4++; v5++; v1++; v2++; v3++; v4++; v5--; v1++; v2++; v3++; v4--; v5++; v1++; v2++; v3++; v4--; v5--; v1++; v2++; v3--; v4++; v5++; v1++; v2++; v3--; v4++; v5--; v1++; v2++; v3--; v4--; v5++; v1++; v2++; v3--; v4--; v5--; v1++; v2--; v3++; v4++; v5++; v1++; v2--; v3++; v4++; v5--; v1++; v2--; v3++; v4--; v5++; v1++; v2--; v3++; v4--; v5--; v1++; v2--; v3--; v4++; v5++; v1++; v2--; v3--; v4++; v5--; v1++; v2--; v3--; v4--; v5++; v1++; v2--; v3--; v4--; v5--; executed = true;

DEMO2

Questions?

Ryan Wincey @rwincey winceyr@gmail.com

      https://github.com/rwincey

Contacts

Michael Schierl @mihi42https://github.com/schierlm/

JavaPayload

top related

jsguard: shellcode detection in...
Documents
shellcode analysis - basic and concept
Data & Analytics
verification of java programs using symbolic execution ·...
Documents
distribution of execution times for sorting algorithms...
Documents
linux shellcode disassembling
Technology
a uniform transactional execution environment for java
Documents
syscan 2016 - remote code execution via java native...
Technology
[2014.11.18] java script execution environment survey
Engineering
shellcode · 2018. 3. 1. · shellcode shellcode properties...
Documents
edsketch: execution-driven sketching for java
Software
extracting sequence diagram from execution trace of java...
Documents
shellcode injection
Technology
symbolic execution of java...
Documents
shellcode detection in ipv6 networks with honeydv6 · 2017....
Documents
verification of java programs using symbolic execution and
Documents
building java programs chapter 4 conditional execution
Documents
jvm plays an important role in execution of java program
Education
wlsi windows local shellcode injection - black hat€¦ ·...
Documents
shellcode detection in ipv6 networks with honeydv6 ·...
Documents
a new execution model for nashorn in java 9
Internet