Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

README.markdown

Dilettante

More information on my blog here

It turns out that Maven Central only lets you use SSL if you purchase an authentication token for a donation of $10. They claim this $10 will go to the Apache project, but that's besides the point.

SSL encryption requires a separate authentication token. To see what I mean, try opening http://central.maven.org/maven2/org/springframework/ and https://central.maven.org/maven2/org/springframework/ in your browser. This means that package managers like Clojure's lein, Scala's sbt, and maven itself when not specially configured will download JARs without any SSL.

Dilettante is a man in the middle proxy that injects malicious codes into JARs served by Maven Central.

Usage

  1. Get in a position where you can man-in-the-middle HTTP traffic. Some hints:

    • Buy a wifi router, call it "Starbucks Wifi"
    • Install ettercap
    • Happen to be an ISP
    • Something something
  2. Run dilettante.py

  3. Proxy your target's http traffic through localhost:8080

    • You can do an easy PoC of this by setting the <proxy> setting in ~/.m2/settings.xml

Results

Your victims will get a friendly image when they execute any Java code that uses a JAR that passed through dilettante. screenshot

You can see a video here

About

Maven central doesn't do SSL when serving you JARs. Dilettante is a MiTM proxy for exploiting that.

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.