Dailydave mailing list archives
Re: Java
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 14 Nov 2006 08:18:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Eagle wrote:
Dave Aitel wrote:Here I am, spending all day writing code in a language that is statically typed. It's like eating all your food with a good helping of sand. How does one convert a byte[] buf; into a String so you can send it down the wire using a DataOutputStream class? Oooh, let's chain a bunch of converters together. Blimey!What is your goal on the remote side? Does it need to unmarshall as a Java String? Or are you just trying to get the bytes on the wire? former: dos.writeUTF(new String(buf)); later: dos.write(buf); How many/what type of converters do you feel compelled to use? Chris
Essentially, for all the web languages, I need a simple platform independent callback backdoor. We have a reasonably good one for PHP, which is great for PHP injection attacks, but we don't have one for Java. It's an annoying problem, because you have to write your source code to be Java 1.0-5.0 compliant, and, of course, size has to be minimal. gcj is helping though, since it's nicely installed by default these days. Of course, the backdoor has to play nicely with the CANVAS framework, which means I can't do things like "writeUTF" and "readUTF" - not only would that be slow since the network ends have to while (data[:-2]!="\x00\x00"): recv(1); but the client side is Python. Then again, in Python, with a Unicode string, does len() return the number of characters or the byte size? (answer: characters, just like Java) Unicode is a huge problem for us these days. If you hack a Japanese Windows box, we want to be able to display all the kanji for you.But this requires extensive fun with fonts. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFWcIqB8JNm+PA+iURAoUCAJ9TCc8k6t8tVGXkMROygEbvLyCTywCcCCjT 1eKzcL83kM/OLuwFyDXYudQ= =DW4e -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave