Among them, Payload must be portable Java, and the code must be compiled before starting the server.
Function introduction
1. Adopt client-server architecture;
2. Support remote loading of Java class files;
3. Encrypt data in transit using ChaCha20 password;
4. Support custom configuration of the tool through parameters;
5. If the server restarts, you need to use Keepalive to re-establish communication;
Tool operation mechanism
Tool installation
This tool supports use on Windows and Linux operating systems and requires OpenJDK 11 and JRE Java packages. Considering the tool's dependency components, we recommend that researchers use Java v11 or higher versions.
Download address of OpenJDK/Java11:【Gateway】
Next, use the following command to clone the project source code to the local machine:
git clone https://github.com/joaovarelas/java-remote-class-loader.git
Tool usage
$ java -jar java-class-loader.jar -help usage: Main -address <arg> Target device IP / bound server address -classfile <arg> Filename of the .class file to be remotely loaded (default: Payload.class) -classmethod <arg> Name of the method to be called (default: exec) -classname <arg> Class name (default: Payload) -client Run as a client -help Print tool help information -keepalive Keep the client getting Java class files from the server every X seconds (default: 3 seconds) -key <arg> Set a 256-bit key in Base64 format, if not specified, a new key will be generated -port <arg> connect to port (client) / bind to port (server) -server Run as server
Tool usage example
Assuming that your Payload.java file contains the following form of Payload code (Hello World):
//Payload.java
public class Payload {
public static String exec() {
String output = "";
try {
output = "Hello world from client!";
} catch (Exception e) {
e.printStackTrace();
{}
return output;
{}
{}Next, you should compile the Payload.javaP file and generate the corresponding Payload.class file.
After the Java class file is generated, we can run the server-side process and listen on port 1337 of all network interfaces:
$ java -jar java-class-loader.jar -server -address 0.0.0.0 -port 1337 -classfile Payload.class Running as server Server running on 0.0.0.0:1337 Generated new key: TOU3TLn1QsayL1K6tbNOzDK69MstouEyNLMGqzqNIrQ=
On the client side, we need to use the "-client" parameter to set the use of the same JAR package and use the symmetric key generated by the server. Then specify the IP address and port of the server to be connected to, and we can also change the class name and class method (the default values are Payload and String exec()). In addition, we can also use the "-keepalive" parameter to maintain the connection while keeping the client from the server requesting class files:
$ java -jar java-class-loader.jar -client -address 192.168.1.73 -port 1337 -key TOU3TLn1QsayL1K6tbNOzDK69MstouEyNLMGqzqNIrQ= Running as client Connecting to 192.168.1.73:1337 Received 593 bytes from server Output from invoked class method: Hello world from client! Sent 24 bytes to server
Project address
JRCL:【GitHub Gateway】
Reference materials
https://vrls.ws/posts/2022/08/building-a-remote-class-loader-in-java/
https://github.com/rebeyond/Behinder
https://github.com/AntSwordProject/antSword
https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/
https://www.sangfor.com/blog/cybersecurity/behinder-v30-analysis
https://medium.com/@m01e/jsp-webshell-cookbook-part-1-6836844ceee7
https://venishjoe.net/post/dynamically-load-compiled-java-class/
https://users.cs.jmu.edu/bernstdh/web/common/lectures/slides_class-loaders_remote.php
https://www.javainterviewpoint.com/chacha20-poly1305-encryption-and-decryption/
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/ClassLoader.html
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/reflect/Method.html
评论已关闭