JarPlant: Java archive implant toolkit
Java Archive Implant Toolkit
Inject malicious payloads into JAR files.
Configuration
JarPlant supports injection of custom values with the implants. A set of common configuration properties are defined with the template and built-in implants. These are:
| Configuration property | Data type | Description | Default value |
|---|---|---|---|
CONF_JVM_MARKER_PROP |
String | JVM system property to create and use as a “marker” to determine if an implant has been detonated in this JVM. | java.class.init |
CONF_BLOCK_JVM_SHUTDOWN |
boolean | Controls whether the implant’s thread will block the JVM from fully exiting until the implant is done. | false |
CONF_DELAY_MS |
int | Optional delay (in milliseconds) before the implant payload will detonate. | 0 |
See the ClassImplant template Javadoc for mor info in these properties.
Blocking the JVM exit
Be extra careful with the CONF_BLOCK_JVM_SHUTDOWN property. If this is set to true, then the JVM will wait for your payload to finish its execution. If your payload takes a long time, then the spiked app will fail to exit properly. It’s not recommended to set a non-zero CONF_DELAY_MS value together with CONF_BLOCK_JVM_SHUTDOWN=true.
If you’ve injected an implant into an app that exits very quickly, then your payload may not get enough time to execute if CONF_BLOCK_JVM_SHUTDOWN is set to false (which is the default setting).
As a general rule of thumb, only set CONF_BLOCK_JVM_SHUTDOWN to true if your implant is quick to execute and/or it’s absolutely essential that it must finish.
For any target apps that takes some time to run (like a back-end service), there should be plenty time for your implant to do its thing with CONF_BLOCK_JVM_SHUTDOWN set to its default value of false.
Quickly implement a custom implant
For a one-off in a rush, the simplest and fastest way of getting your own custom Java code into a target JAR is to:
- Clone this code repository.
- Modify the
payload()method insideClassImplant.javawith your own code. - Build JarPlant:
mvn clean package. - Run the CLI. See the “Quick grabs” section above.
Alternatively, if you’re spiking a Spring app: Modify the SpringComponentImplant.java (and maybe the SpringConfigurationImplant.java) and use the spring-injector CLI accordingly.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
