Nmap Development mailing list archives

[NSE] Announcing jdwp library and scripts

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Sun, 12 Aug 2012 20:33:47 +0200

Hi all,

lately I've been working on Java Debug Wire Protocol
library in order to exploit it for few scripts from
Script Ideas page.

The library its self implement enough functionality to achieve
custom java bytecode injection and execution which following
three scripts leverage:

jdwp-info script inject JDWPSystemInfo class which gathers information
from the remote system. Example output:
-- PORT     STATE SERVICE REASON
-- 2010/tcp open  search  syn-ack
-- | jdwp-info:
-- |   Available processors: 1
-- |   Free memory: 15331736
-- |   File system root: A:\
-- |   Total space (bytes): 0
-- |   Free space (bytes): 0
-- |   File system root: C:\
-- |   Total space (bytes): 42935926784
-- |   Free space (bytes): 29779054592
-- |   File system root: D:\
-- |   Total space (bytes): 0
-- |   Free space (bytes): 0
-- |   Name of the OS: Windows XP
-- |   OS Version : 5.1
-- |   OS patch level : Service Pack 3
-- |   OS Architecture: x86
-- |   Java version: 1.7.0_01
-- |   Username: user
-- |   User home: C:\Documents and Settings\user
-- |_  System time: Sat Aug 11 15:21:44 CEST 2012

jdwp-exec script injects JDWPExecCmd java class which executes custom
shell command
specified as "cmd" script argument and returns its output:
-- PORT     STATE SERVICE REASON
-- 2010/tcp open  search  syn-ack
-- | jdwp-exec:
-- |   date output:
-- |   Sat Aug 11 15:27:21 Central European Daylight Time 2012
-- |_

And finaly, jdwp-inject which allows specifying custom java .class file
to inject into
a remote JVM. Upon injection the script calls injected class' run()
method and
gets its output. Sample of injecting simple "Hello world" class:
-- PORT     STATE SERVICE REASON
-- 2010/tcp open  search  syn-ack
-- | jdwp-inject:
-- |_  Hello world from the remote machine!


Source and compiled classes are in nselib/data/jdwp-class/ directory.
It also contains a small readme file explaining how to compile them and
how to write your own classes to inject. Find the jdwp-class directory
attached
as a jdwp-class zip file.

Many thanks to Michael Schierl, who is the author of jdwp-version script,
for his work on javapayload
(http://schierlm.users.sourceforge.net/JavaPayload/)
from which I got the ideas on how to inject class files.

As always, I welcome comments, suggestions and ideas for improvements to
these.


Aleksandar

Attachment: jdwp-class.zip
Description:

Attachment: jdwp.lua
Description:

Attachment: jdwp-exec.nse
Description:

Attachment: jdwp-info.nse
Description:

Attachment: jdwp-inject.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Announcing jdwp library and scripts Aleksandar Nikolic (Aug 12)
- Re: [NSE] Announcing jdwp library and scripts Ron (Aug 13)
  - Re: [NSE] Announcing jdwp library and scripts Aleksandar Nikolic (Aug 14)