• Like
The jar of joy
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Presentation by Ian de Villiers at ZaCon 2 about exploiting java. …

Presentation by Ian de Villiers at ZaCon 2 about exploiting java.

This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

Published in Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. The JAR of JoySensePost - 2010
  • 2. `whoami`•  SensePost•  ian@sensepost.com –  Break some stuff –  Write reports about breaking some stuff –  Abuse the staff SensePost - 2010
  • 3. Why This Talk ?•  import disclaimer;•  Not ground breaking stuff – no 0-day•  Java applications and applets appear to be popular again•  Reversing Java applications can be difficult•  Tips for reversing Java in less time (in my experience in any case)… SensePost - 2010
  • 4. The JAR File•  Java ARchive•  Used to distribute Java applications / applets etc.•  ZIP file containing compiled classes, libraries, settings, certificates, *•  Trivial to extract•  Normally disclose a vast amount of information SensePost - 2010
  • 5. Attacking Java is fun•  Trivial to reverse engineer•  Compiled applications are vulnerable to virtually all attacks traditional web apps are vulnerable to…•  …but all wrapped up in increased sense of developer smugness•  Repurposed Java applications make *awesome* attack tools SensePost - 2010
  • 6. Difficulties Attacking Java•  Many classes and libraries in JAR files of complex applications•  Class files often do not decompile cleanly•  Impossible to fix all java sources in large application•  Applets and applications are frequently signed•  Obfuscated Code•  Frequently have to rely on other tools too… SensePost - 2010
  • 7. Defeating Signing•  Certificate information stored in META-INF•  MANIFEST.MF contains hashes for resources•  These files can easily be deleted… SensePost - 2010
  • 8. What this Means•  Now possible to modify classes in JAR file•  Signing normally used specifically for Java applets –  Allow applets to access network resources –  Allow applets to read / write files•  However, the applet runs on *my* machine –  Can specify own security model… SensePost - 2010
  • 9. Obfuscation•  Defeating Java obfuscation is difficult•  Depends on the obfuscation mechanism used•  In most cases, virtually impossible…•  … however, the newer attack methodologies outlined later will help …but wait – there is more… SensePost - 2010
  • 10. Obfuscation•  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…•  … in obfuscated applications this provides us with a nice area to attack  SensePost - 2010
  • 11. Java Quick Kills•  Not necessary to fix all compiler errors•  Only need to fix specific classes with functionality you need –  Sanitisation libraries –  Network Stream libraries•  Updated classes can be recompiled with the original JAR file to satisfy dependancies SensePost - 2010
  • 12. Demo and Walkthrough•  Decompile Application and export sources SensePost - 2010
  • 13. Demo and Walkthrough•  Identify key source files and include in project SensePost - 2010
  • 14. Demo and Walkthrough•  Remove compiled class files from original JAR•  Rebuild JAR file SensePost - 2010
  • 15. Demo and Walkthrough•  Link modified JAR file to compiler CLASSPATH SensePost - 2010
  • 16. Demo and Walkthrough•  Modify source code and run… SensePost - 2010
  • 17. Demo and Walkthrough•  Repurposing uses the same technique…•  … but changes the functionality in order to turn the application into an attack tool SensePost - 2010
  • 18. Newer Attack Methods•  New research and toolsets make reversing and recompiling unneccessary… •  Also make it easier to attack obfuscated applications•  Cannot always be used for repurposing  SensePost - 2010
  • 19. BlackHat Europe – 2010•  Manish Saindane –  Demonstrated attacks against serialized objects –  Provided Burp plug-in to view and modify serialized objectshttp://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html SensePost - 2010
  • 20. Demo – Serialized Objects SensePost - 2010
  • 21. BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi –  JavaSnoop : How to Hack Anything Written in Java •  Stephen de Vries –  Hacking Java Clients •  Both talks outlined new methods for attacking Java Applications http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html SensePost - 2010
  • 22. Demo – JavaSnoop SensePost - 2010
  • 23. In Summary•  Java reversing is fun•  Java reversing can be easy•  Newer attack methodologies no longer require attackers to reverse the application•  Traditional reversing techniques still normally apply for repurposing applications SensePost - 2010
  • 24. Ta Muchly•  ZaCon folkses  SensePost - 2010
  • 25. Questions ?ian@sensepost.com SensePost - 2010