Maven central doesn't do SSL when serving you JARs. Dilettante is a MiTM proxy for exploiting that.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Krakatau @ dc3f882
media
.gitmodules
Dilettante.class
Dilettante.java
README.markdown
dilettante.py
requirements.txt
sad_cat.jpg
screenshot.png

README.markdown

Dilettante

More information on my blog here

It turns out that Maven Central only lets you use SSL if you purchase an authentication token for a donation of $10. They claim this $10 will go to the Apache project, but that's besides the point.

SSL encryption requires a separate authentication token. To see what I mean, try opening http://central.maven.org/maven2/org/springframework/ and https://central.maven.org/maven2/org/springframework/ in your browser. This means that package managers like Clojure's lein, Scala's sbt, and maven itself when not specially configured will download JARs without any SSL.

Dilettante is a man in the middle proxy that injects malicious codes into JARs served by Maven Central.

Usage

  1. Get in a position where you can man-in-the-middle HTTP traffic. Some hints:

    • Buy a wifi router, call it "Starbucks Wifi"
    • Install ettercap
    • Happen to be an ISP
    • Something something
  2. Run dilettante.py

  3. Proxy your target's http traffic through localhost:8080

    • You can do an easy PoC of this by setting the <proxy> setting in ~/.m2/settings.xml

Results

Your victims will get a friendly image when they execute any Java code that uses a JAR that passed through dilettante. screenshot

You can see a video here