User Controls

java.text.SimpleDateFormat Injection Possible?

  1. #1
    SBTlauien African Astronaut
    Would it be possible to inject some kind of string into the function in this small program to take control of the program?


    import java.text.ParseException;
    import java.text.SimpleDateFormat;
    import java.util.Date;
    import java.util.Scanner;

    public class DateIt {

    public static void main(String[] args) {
    Scanner reader = new Scanner(System.in);
    System.out.print("Enter a date: ");
    String currentDate = reader.nextLine();
    currentDate = aFunction(currentDate);
    System.out.println(currentDate);
    reader.close();
    }

    private static String aFunction(String theDate){
    Date dateToString = null;
    try {
    SimpleDateFormat format = new SimpleDateFormat();
    format = new SimpleDateFormat("MM/dd/yyyy");
    dateToString = format.parse(theDate);
    } catch (ParseException e) {
    e.printStackTrace();
    }
    return dateToString.toString();
    }

    }
  2. #2
    Lanny Bird of Courage
    You'd have to read the source to be sure but it seems unlikely. Buffer overflow attacks shouldn't be possible since array access in the JVM is checked and I can't imagine any good reason for anything to be eval'd (in shitty implementations you might find people evaling numbers instead of using parseInt or whatever but hopefully not in the standard library).
  3. #3
    -SpectraL coward [the spuriously bluish-lilac bushman]
    You have to convert the executable you want to inject into an alternate format the browser can parse and then embed it directly into a standalone script in such a way that other active, but benign, elements of the script are able to rebuild the obfuscated executable code back into machine readable executable code into the target's temp file folder and execute it from there in such a way that it calls home with the IP once the trojan opens the server port.
  4. #4
    Lanny Bird of Courage
    Fuck off spectroll, as usual what you posted has absolutely nothing to do with OP.
  5. #5
    Lanny Bird of Courage
    Also nothing screams shitty indian programmer like


    try {
    ...
    } catch (Exception e) {
    e.printStackTrace();
    }


    Every time I see this in production code I want to slap a bitch.
  6. #6
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Fuck off spectroll, as usual what you posted has absolutely nothing to do with OP.

    You have no real idea what you're dealing with here, son. I'm extremely dangerous when I need to be.
  7. #7
    Lanny Bird of Courage
    Whatever you think you are, you're a dumbshit right here and now.
  8. #8
    Sophie Pedophile Tech Support
    Anyway guise, i've ben slacking on the programming lately, i have two unfinished projects but one is really tedious boring repetative shit when it comes to the code the other very, hard, for me at least. I've been putting it off in favor of drug binges.
  9. #9
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Whatever you think you are, you're a dumbshit right here and now.

    The first thing you would do is convert the binary into ASCII text format. ie: $ /usr/bin/exe2hex -x /usr/share/windows-binaries/imatrojan.exe. Now, does that sound like something a "dumbshit" would do? I mean, really.
  10. #10
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Interesting reading...

    https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf
    http://phrack.org/issues/62/7.html
    https://github.com/g0tmi1k/exe2hex/blob/master/README.md
  11. #11
    Sophie Pedophile Tech Support
    The first thing you would do is convert the binary into ASCII text format. ie: $ /usr/bin/exe2hex -x /usr/share/windows-binaries/imatrojan.exe. Now, does that sound like something a "dumbshit" would do? I mean, really.

    exe2hex is only useful in transferring binaries through a shell. Say you're in a system and wget and curl are commands unavailable because of the permissions, it's over 9000 times easier to echo ASCII than binary data. Once there you restore it, chmod +x, execute and boom root. If you're lucky.

    Also no one is talking about injecting executables, SBT wants to inject a string into a part of a function. Where the end goal would be to get the program to do what you want it to do.
  12. #12
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Also no one is talking about injecting executables, SBT wants to inject a string[ into a part of a function. Where the end goal would be to get the program to do what you want it to do.

    Kind of like milking a cow in Milk Lake. I get you.
  13. #13
    Sophie Pedophile Tech Support
    I get you.

    No, you absolutely don't.
  14. #14
    -SpectraL coward [the spuriously bluish-lilac bushman]
    exe2hex is only useful in transferring binaries through a shell. …

    Inline binary transfers can also be accomplished through the use of crafted browser scripts.
  15. #15
    SBTlauien African Astronaut
    Also nothing screams shitty indian programmer like


    try {
    ...
    } catch (Exception e) {
    e.printStackTrace();
    }


    Every time I see this in production code I want to slap a bitch.

    Normally I would do something else within a catch clause, but this is just a quick program I made specifically for this task/question. I'm the biggest indian.

    Also no one is talking about injecting executables, SBT wants to inject a string into a part of a function. Where the end goal would be to get the program to do what you want it to do.

    Exactly.

    Looks like I'll have to look through the source a bit more...
  16. #16
    Lanny Bird of Courage
    The first thing you would do is convert the binary into ASCII text format. ie: $ /usr/bin/exe2hex -x /usr/share/windows-binaries/imatrojan.exe. Now, does that sound like something a "dumbshit" would do? I mean, really.


    Yes, it does, especially considering the question in OP you're supposedly responding to. How do you propose to get your giant hex string executed? It's being fed into a date parser, in a language where everything is allocated on the heap and array access is checked. Whatever you feed it, it's not going to get executed, it's just going to throw a parse exception and that'll be the end of it.
  17. #17
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Yes, it does, especially considering the question in OP you're supposedly responding to. How do you propose to get your giant hex string executed? It's being fed into a date parser, in a language where everything is allocated on the heap and array access is checked. Whatever you feed it, it's not going to get executed, it's just going to throw a parse exception and that'll be the end of it.

    Special compiler directive? GCC-Inline-Assembly?

  18. #18
    Lanny Bird of Courage
    Special compiler directive? GCC-Inline-Assembly?


    It's java you dumshit, there is no preprocessor, no compiler directives.
  19. #19
    -SpectraL coward [the spuriously bluish-lilac bushman]
    It's java you dumshit, there is no preprocessor, no compiler directives.

    C'mon, Lanny. You know as well as I that useless, off-topic garbage is totally acceptable in a discussion forum. Remember zoklet? When you snickered and laughed whenever the kidiots shat up a great discussion thread with witty attention-whoring and worthless content? It sure was fun and games then, wasn't it? And now here you are just so serious and all! I suppose it's only when it's a topic you are personally interested in that it really matters, and then things need to get totally serious, but hey... serious discussion is my specialty! No need to thank me now.
  20. #20
    Sophie Pedophile Tech Support
    C'mon, Lanny. You know as well as I that useless, off-topic garbage is totally acceptable in a discussion forum. Remember zoklet? When you snickered and laughed whenever the kidiots shat up a great discussion thread with witty attention-whoring and worthless content? It sure was fun and games then, wasn't it? And now here you are just so serious and all! I suppose it's only when it's a topic you are personally interested in that it really matters, and then things need to get totally serious, but hey… serious discussion is my specialty! No need to thank me now.

Jump to Top