I actually packaged the classes in java.lang: Jar cvf0 new_rt.jar <dir1> <dir2> <dir3> <dir4> ....... The reason why I am posting here is that I am working on an exploit. I was hoping to see if anyone else has worked on replacing core classes in a package..... with a rogue one. Cheers r. Richard Scott INFORMATION SECURITY Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries -----Original Message----- From: Cushing, David [mailto:David.Cushingat_private] Sent: Wednesday, March 13, 2002 8:39 AM To: r s; vuln-devat_private Subject: RE: JavaSecurity This might be better suited to a java newsgroup, but... Your prompt is c:\, your CLASSPATH is ../../... That seems incorrect. Did you put a package statement in your rogue class (i,e, package java.lang)? Did you re-package rt.jar or try to use it in "un-jarred" form? Where are rt.jar or the unjarred files? This exception always means the object could not be found. Check your classpath, check your jar files, file permissions, etc. If you're not familiar with how classpath finds classes, check out: http://java.sun.com/j2se/1.4/docs/tooldocs/findingclasses.html HTH, David > -----Original Message----- > From: r s [mailto:richard.scottat_private] > Sent: Tuesday, March 12, 2002 2:15 PM > To: vuln-devat_private > Subject: JavaSecurity > > > > > I am trying to replace a class in Java's runtime rt.jar > > file. > > > > I compiled the rogue class, placed it in the extracted > > jar file with zero compression. > > > > now when I compile code aginst it I get: > > > > C:\>javac -classpath ../../.. String.java > > Error occurred during initialization of VM > > java/lang/NoClassDefFoundError: java/lang/Object > > > > This "exploit" was tailored around what Scott Oaks > > mentioned in his book JavaSecurity. > > > > however, I seem not to be able to exploit it. > > > > Any tips? > >
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 08:52:55 PST