44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
Burp Plugin Development for Java n00bs - 44CON 2012
1. Burp
Plugin
Development
for
Java
n00bs
44Con
2012
www.7elements.co.uk
|
blog.7elements.co.uk
|
@7elements
2. /me
• Marc
Wickenden
• Principal
Security
Consultant
at
7
Elements
• Love
coding
(parJcularly
Ruby)
• @marcwickenden
on
the
TwiOerz
• Most
importantly
though…..
www.7elements.co.uk
|
blog.7elements.co.uk
|
@7elements
4. If
you
already
know
Java
You’re
either:
• In
the
wrong
room
• About
to
be
really
offended!
5. Agenda
• The
problem
• GeZng
ready
• IntroducJon
to
the
Eclipse
IDE
• Burp
Extender
Hello
World!
• ManipulaJng
runJme
data
• Decoding
a
custom
encoding
scheme
• “Shelling
out”
to
other
scripts
• LimitaJons
of
Burp
Extender
• Really
cool
Burp
plugins
already
out
there
to
fire
your
imaginaJon
8. The
problem
• Burp
Suite
is
awesome
• De
facto
web
app
tool
• Open
source
alternaJves
don’t
compare
IMHO
• Tools
available/cohesion/protocol
support
• Burp
Extender
11. How?
-‐
Burp
Extender
• “allows
third-‐party
developers
to
extend
the
funcJonality
of
Burp
Suite”
• “Extensions
can
read
and
modify
Burp’s
runJme
data
and
configuraJon”
• “iniJate
key
acJons”
• “extend
Burp’s
user
interface”
hOp://portswigger.net/burp/extender/
13. Java
101
• Java
source
is
compiled
to
bytecode
(class
file)
• Runs
on
Java
Virtual
Machine
(JVM)
• Class-‐based
• OO
• Write
once,
run
anywhere
(WORA)
• Two
distribuJons:
JRE
and
JDK
14. Java
101
conJnued…
• Usual
OO
stuff
applies:
objects,
classes,
methods,
properJes/variables
• Lines
end
with
;
15. Java
101
conJnued…
• Source
files
must
be
named
amer
the
public
class
they
contain
• public
keyword
denotes
method
can
be
called
from
code
in
other
classes
or
outside
class
hierarchy
16. Java
101
conJnued…
• class
hierarchy
defined
by
directory
structure:
• uk.co.sevenelements.HelloWorld
=
uk/co/
sevenelements/HelloWorld.class
• JAR
file
is
essenJally
ZIP
file
of
classes/
directories
17. Java
101
conJnued…
• void
keyword
indicates
method
will
not
return
data
to
the
caller
• main
method
called
by
Java
launcher
to
pass
control
to
the
program
• main
must
accept
array
of
String
objects
(args)
18. Java
101
conJnued…
• Java
loads
class
(specified
on
CLI
or
in
JAR
META-‐INF/MANIFEST.MF)
and
starts
public
sta0c
void
main
method
• You’ve
seen
this
already
with
Burp:
• java
–jar
burpsuite_pro_v1.4.12.jar
22. First
we
need
some
tools
• Eclipse
IDE
–
de
facto
free
dev
tool
for
Java
• Not
necessarily
the
best
or
easiest
thing
to
use
• AlternaJves
to
consider:
• Jet
Brains
IntelliJ
(my
personal
favourite)
• NetBeans
(never
used)
• Jcreator
(again,
never
used)
• Terminal/vim/javac
<
MOAR
L33T
25. Java
JDK
• Used
to
be
bundled
with
Eclipse
• Due
to
licensing
(I
think)
this
is
no
longer
the
case
• Grab
from
Sun
Oracle’s
website:
• hOp://download.oracle.com/otn-‐pub/java/jdk/7u7-‐b11/jdk-‐7u7-‐windows-‐
x64.exe?AuthParam=1347522941_2b61ee3cd1f38a0abd1be312c3990fe5
27. Create
a
Java
Project
• File
>
New
>
Java
Project
• Project
Name:
Burp
Hello
World!
• Leave
everything
else
as
default
• Click
Next
28.
29. Java
SeZngs
• Click
on
Libraries
tab
• Add
External
JARs
• Select
your
burpsuite.jar
• Click
Finish
30. Create
a
new
package
• File
>
New
>
Package
• Enter
burp
as
the
name
• Click
Finish
31. Create
a
new
file
• Right-‐click
burp
package
>
New
>
File
• Accept
the
default
locaJon
of
src
• Enter
BurpExtender.java
as
the
filename
• Click
Finish
34. Loading
external
classes
• We
need
to
tell
Java
about
external
classes
• Ruby
has
require
• PHP
has
include
or
require
• Perl
has
require
• C
has
include
• Java
uses
import
35. Where
is
Burp?
• We
added
external
JARs
in
Eclipse
• Only
helps
at
compilaJon
• Need
to
tell
our
code
about
classes
• import
burp.*;
36. IBurpExtender
• Available
at
hOp://portswigger.net/burp/extender/burp/IBurpExtender.html
• “
ImplementaJons
must
be
called
BurpExtender,
in
the
package
burp,
must
be
declared
public,
and
must
provide
a
default
(public,
no-‐argument)
constructor”
37. In
other
words
public
class
BurpExtender
{
}
• Remember,
Java
makes
you
name
files
amer
the
class
so
that’s
why
we
named
it
BurpExtender.java
38. Add
this
package
burp;
import
burp.*;
public
class
BurpExtender
{
public
void
processHOpMessage(
String
toolName,
boolean
messageIsRequest,
IHOpRequestResponse
messageInfo)
throws
ExcepJon
{
System.out.println("Hello
World!");
}
39. Run
the
program
• Run
>
Run
• First
Jme
we
do
this
it’ll
ask
what
to
run
as
• Select
Java
Applica0on
45. What’s
happening?
• Why
is
it
spamming
“Hello
World!”
to
the
console?
• We
defined
processHOpMessage()
• hOp://portswigger.net/burp/extender/burp/
IBurpExtender.html
• “This
method
is
invoked
whenever
any
of
Burp's
tools
makes
an
HTTP
request
or
receives
a
response”
47. RepeatAmerMeClient.exe
processProxyMessage
processHOpMessage
Burp
Suite
hOp://wc•ox/RepeaterService.svc
48.
49. We’ve
got
to
do
a
few
things
• Split
the
HTTP
Headers
from
FI
body
• Decode
FI
body
• Display
in
Burp
• Re-‐encode
modified
version
• Append
to
headers
• Send
to
web
server
• Then
the
same
in
reverse
50.
51. • Right-‐click
Project
>
Build
Path
>
Add
External
Archives
• Select
FastInfoset.jar
• Note
that
imports
are
now
yellow
61. Running
outside
of
Eclipse
• Plugin
is
working
nicely,
now
what?
• Export
to
JAR
• Command
line
to
run
is:
• java
–jar
yourjar.jar;burp_pro_v1.4.12.jar
burp.startBurp
62. LimitaJons
• We
haven’t
coded
to
handle/decode
the
response
• Just
do
the
same
in
reverse
• processHOpMessage
fires
before
processProxyMessage
so
we
can’t
alter
then
re-‐encode
message
• SoluJon:
chain
two
Burp
instances
together
63. AOribuJon
• All
lolcatz
courtesy
of
lolcats.com
• No
cats
were
harming
in
the
making
of
this
workshop
• Though
some
keyboards
were….