Managed Code Rootlets (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn’t new, practical tools for developing MCRs don’t currently exist. Ere Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the ‘write once, run anywhere’ motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform.
This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootlet. With Java being StackOverflow’s most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to ‘write once, exploit anywhere’. When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore.
Ben Holland is a PhD student at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. He’s lectured on security topics for university courses in program analysis and operating system principles. Ben has given multiple talks at professional clubs as well as security and academic conferences. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA’s Space/Time Analysis for Cybersecurity (STAC) program.