“I want to see my code in action”, said a new hire recently, as he awaited his first day at a newly-established software development company. “What kind of programs do you normally write, and what kind of source code files do you have?” “C/ C++”. The newbie was already a little wary, but when the boss told him that he would need to understand the program better before he could become familiar with its internal “magic”, he was sold.
“A Java Programmer’s worst nightmare” was coming to reality. He had to connect to a remote server, run a program on it, debug it, and, when it was all over, have his source code displayed on the screen. “So, what is this ‘magic’ you speak of?” asked the junior dev.
“A Java Debugger”, came the boss’s reply. “Oh, it’s just a utility for handling error cases in Java applications. What’s your project?” “My latest project: a client-server web application.” “Good deal…let me take a look.”
Before long, the boss took the newly hired junior me aside and showed him several figures on his computer screen. On the screen were several hundred labels, each one representing an aspect of the program. There were lines of code, functions, modules, and class files. Among these items, he was looking like a child looking at his favorite toy, inspecting the insides. “You can do this for yourself” said the boss, pointing to a metasploit module.
The next step? Just follow the protocol! This was the day that Tomcat changed his name to Tomcray and learned to love the protocol. From thereon, he spent the next three years learning everything he could about Java, and, when he got tired, got back to his computer and programmed source code by hand.
At some point, Tomcray the Java programmer decided he’d like to try his hand at Java application penetration. So, he went to Google’s website and began searching for an open-source project called MIRI, or Multi-it project. (MIRI stands for Middle-Internet Response Interface). A quick search returned a lot of MIRI related projects including Metasploit, which looked like an ideal candidate. The project manager, however, was not impressed. He told Tomcray, “I think MIRI is a good tool for testing Java applications, but I don’t see how we could use it to gain access to the source code of a competing product.”
Tomcray then went home and began working on his next project, a simple WinINET application which was used in conjunction with a commercial VoIP service. Again, he found himself at a loss because of the lack of source code. The next thing to do was to trace the path from the breakpoint to the payload. During the process of tracing the command line, Tomcray hit pay dirt: a Java debug print statement! He quickly realized the command was being debugged because of a mismatch in the parameters received back by the telnet server and the Java applet.
The next thing to do was to reproduce the command and set the right parameters for the telnet session. Then he created a number of test cases and ran each one in the default Java debugging mode. In two weeks he had successfully written the first Java applet and was ready to submit it to the web server. Unfortunately, the next week a group of six hackers from France visiting the same workplace saw Tomcray’s Java applet and decided they wanted to try it. Tomcray waited until his colleagues left to get his submission in before calling an audible and sending the file to the web team.