Monthly Archives: March 2017

Set Environment Variables in Memory (JAVA)

Potentially evil snippet of code that could help me solve a long-standing problem that I encountered in developing one simple JAVA based exploit. Posting it here for further investigation when I have the time!

protected static void setEnv(Map newenv)
{
  try
    {
        Class processEnvironmentClass = Class.forName("java.lang.ProcessEnvironment");
        Field theEnvironmentField = processEnvironmentClass.getDeclaredField("theEnvironment");
        theEnvironmentField.setAccessible(true);
        Map env = (Map) theEnvironmentField.get(null);
        env.putAll(newenv);
        Field theCaseInsensitiveEnvironmentField = processEnvironmentClass.getDeclaredField("theCaseInsensitiveEnvironment");
        theCaseInsensitiveEnvironmentField.setAccessible(true);
        Map cienv = (Map)     theCaseInsensitiveEnvironmentField.get(null);
        cienv.putAll(newenv);
    }
    catch (NoSuchFieldException e)
    {
      try {
        Class[] classes = Collections.class.getDeclaredClasses();
        Map env = System.getenv();
        for(Class cl : classes) {
            if("java.util.Collections$UnmodifiableMap".equals(cl.getName())) {
                Field field = cl.getDeclaredField("m");
                field.setAccessible(true);
                Object obj = field.get(env);
                Map map = (Map) obj;
                map.clear();
                map.putAll(newenv);
            }
        }
      } catch (Exception e2) {
        e2.printStackTrace();
      }
    } catch (Exception e1) {
        e1.printStackTrace();
    } 
}

Virtual Wireless Access Point with VPN on DD-WRT

I have received many request for more in-depth information on the post that I had on flashing DD-WRT and setting up a virtual AP that has traffic automatically tunnelled via a VPN service such as OpenVPN. I have recently flashed an Asus RT-68U router and have recorded the exact steps taken to do so (in the likely event I end up forgetting). If you have a different router make and model, the goal would be to research how to flash DDWRT on it and then follow step 2 in the later part of this post.

Step 1 – Flashing DDWRT on Asus RT-68U:

– Asus RT-68U on stock “Merlin” firmware, proceed to clear NVRAM via telnet:
– Enable Telnet by going to Advanced Settings -> Administration -> System -> Enable Telnet
– telnet 192.168.1.1 (or whatever is your router’s IP)

Run commands:

mtd-erase2 nvram;
reboot;

– Flash asus_rt-ac68u-firmware_30709.trx (Brainslayer build)
– Reboot the router
– Navigate to Administration -> Commands tab and run:

erase nvram; reboot;

– Flash dd-wrt.v24-K3_AC_ARM_STD.bin (Kong build) via Administration -> Firmware Upgrade Tab (set to factory)
– Reboot the router

Step 2 – Setting up Virtual Wireless AP with VPN Tunneling on DD-WRT:

On page: Setup -> Basic tab:
– (Optional) Rename router to whatever you want
– Set local IP of router 192.168.1.x (or whatever class A IP address you defined)
– Subnet mask 255.255.255.0 (depends on your network)
– Gateway 192.168.1.1 (or whatever your bridged router’s IP is, if bridging to ISP’s router)
– Local DNS 8.8.8.8
– (Optional) Set start IP address from e.g. 190
– Enable DHCP server
– Set static DNS1 to 8.8.8.8 and static DNS2 to 8.8.4.4
– Enable “Use DNSMasq for DHCP”
– Enable DNSMasq for DNS
– Enable NTP server (e.g. asia.pool.ntp.org or whatever timezone you are in)

Navigate to Wireless -> Basic settings tab:
– Add a virtual AP (with AP name etc)
– Enable optimize multicast traffic option and bridged mode
– Save and reboot the router

Navigate to Setup -> Networking tab:
– Add bridges br0 and br1
– Reboot
– Assign br0 to eth1 interface prio 63
– Assign br1 to wl1.1 interface prio 63
– Save and reboot the router
– bridging table should show:

br0 no vlan1 eth1 eth2
br1 no wl1.1

Navigate to Setup -> Networking tab:
– Scroll down to the br1 interface
– Enable masquerade / NAT, make sure the other options are disabled
– Add a subnet ip address you want this bridge to have e.g. 10.13.37.1 with subnet mask 255.255.255.0
– Save and reboot the router

Navigate to Setup -> Networking tab:
– Scroll down to DHCPD
– enable DHCP0 for br1; e.g (ON, start 100, max 50, leasetime 3600)
– Save and reboot the router

Navigate to Services -> VPN tab:
– Scroll down to OpenVPN client and enable it
– Enter your OpenVPN server details (steps to setup OpenVPN server at bottom of post)
– Set tunnel device to TUN
– Set tunnel protocol to UDP
– Set encryption to Blowfish CBC
– Set hash algorithm to SHA1
– Enable user pass authentication if required and add the OpenVPN username and password
– Enable advanced options
– Set TLS ciphers to none
– Set LZO compression to yes
– Enable NAT
– Set firewall protection to disabled
– Leave IP address and subnet mask fields empty
– Set tunnel MTU setting to 1500
– Leave UDP fragment field empty
– Set UDP MSS-Fix to disabled
– Enable nsCertType vertication
– Export your openvpn.ovpn profile from your OpenVPN server (open .ovpn file in text editor. See Step 3 near the end of this post)
– Put the TLS auth key portion in the TLS Auth Key field
– Fields: add config, policy based routing, pkcs12, static key, all set to blank
– Place your CA cert in the CA Cert field
– Place your public client cert in the Public Cert field
– Place your private client key in the Private Key field
– Save and reboot the router

Navigate to Administration -> Commands tab and add the following as a startup script:

Start up script:

sleep 220; # sleep to allow enough time for NTP to update
tun_name=$(ifconfig | sed -n 's/.*\(tun[^ ]\).*/\1/p');
tun_addr=$(ifconfig $tun_name | sed -nr 's/.*P-t-P:([^ ]+) .*/\1/p');
ip rule add from 10.13.37.0/24 table 200; # IP varies on your br1 subnet
ip route add default via $tun_addr dev $tun_name table 200;
ip route flush cache;

– Reboot and make sure NTP updates the router time, if not the TLS negotiation to the OpenVPN server will fail. A workaround is to reboot the router to let NTP attempt an update again

Step 3 – Setting up OpenVPN Server on VPS (such as RamNode):

– wget http://swupdate.openvpn.org/as/openvpn-as-2.0.11-Ubuntu12.i386.deb
– dpkg -i openvpn-as-2.0.11-Ubuntu12.i386.deb
– passwd openvpn
– Login to the interface and export the .ovpn file to be used for the steps mentioned above

That’s it!