Commit Graph

6550 Commits

Author SHA1 Message Date
Mike Salvatore 75ed119c00 Changelog: Add changelog entries for Log4Shell exploiter 2022-01-21 07:40:42 -05:00
VakarisZ 39a48c2b64
Merge pull request #1670 from guardicore/1663-log4shell-exploit
Log4Shell exploiter
2022-01-21 11:52:14 +02:00
Mike Salvatore 4c30118f67 Docs: Increase v1.12.0 -> v1.13.0 2022-01-20 14:38:14 -05:00
Mike Salvatore 5bf82659bd UI: Switch CVE-2021-44228 from href to react-bootstrap Button
This resolves an eslint error regarding `target="blank"` without
`rel="noopener"` and makes this code more consistent with other code.
2022-01-20 12:14:52 -05:00
Mike Salvatore d21dd6da13 Agent: Wait for victim to download agent before killing servers
The Log4Shell exploiter requires the victim to contact a number of
different servers. Wait a reasonable amount of time for the victim to
call home and download the agent before issuing the shutdown command to
the server.
2022-01-20 10:42:51 -05:00
Mike Salvatore e576136a63 Agent: Skip Log4Shell exploiter if there are no open ports 2022-01-20 08:52:09 -05:00
Mike Salvatore 6d87289bd0 Agent: Minor change to log statement in ExploitClassHTTPServer 2022-01-20 08:17:57 -05:00
Shreya Malviya 83d2a0aac0 Common, UI: Bump version numbers to 1.13.0 2022-01-20 17:49:02 +05:30
Shreya Malviya ce8c178297 BB: Add Log4Shell zoo machines to table of contents, grammar fixes 2022-01-20 17:24:11 +05:30
Mike Salvatore d0e26f770f Agent: Add lock to HTTPHandler.do_GET() to avoid potential race 2022-01-19 19:37:23 -05:00
vakarisz 76d6071f7c Island: add cve link to log4shell report 2022-01-19 15:09:03 +02:00
Mike Salvatore 1840dd54ca Agent: Add class documentation to ExploitClassHTTPServer 2022-01-18 12:33:06 -05:00
Mike Salvatore 63085273a9 Agent: Encapsulate parallelism in ExploitClassHTTPServer 2022-01-18 08:57:05 -05:00
vakarisz 212fb3a653 BB: black format config_generation_script.py 2022-01-18 15:23:59 +02:00
vakarisz a5a4957c29 Agent: small readability and style improvements 2022-01-18 15:01:47 +02:00
vakarisz 03919c3caf Agent: fix struts2 url building 2022-01-18 14:29:57 +02:00
vakarisz 76a32d241c Agent: log4shell readability and style fixes 2022-01-18 12:48:56 +02:00
vakarisz 52ac7dd295 Agent: fix a bug in web_rce url building
build_potential_urls was made static and takes IP as first parameter, but the users of this method wasn't changed and only passed ports
2022-01-18 12:22:38 +02:00
vakarisz e3f9312ff9 BB: change log4j exploit depth to 1 (default)
This change is necessary to make sure that exploitation is successfull from a particular machine being tested.
2022-01-18 11:44:47 +02:00
vakarisz f667d9203b Agent: update Pipfile.lock to contain pyinstaller changes
Pyinstaller got changed to not crash ldap server that's running on a spawned process, by continuing if no m0nk3y or dr0pp3r flags are specified
2022-01-18 11:41:18 +02:00
Ilija Lazoroski 51bf553fb5 Agent, Island: Minor changes to Log4Shell
Return types, removing logging from solr service
and change Log4j to Log4Shell in Island reporting
2022-01-17 16:37:03 +01:00
Ilija Lazoroski 311a721880 BB: Fix IP address for Tomcat machines 2022-01-17 16:34:56 +01:00
vakarisz 77eb3ce004 BB: Added log4j configs to the list of manually generatable configs 2022-01-17 11:40:31 +02:00
Mike Salvatore 363d0e14bf UT: Add unit test for Log4Shell LDAPExploitServer 2022-01-14 11:53:50 -05:00
Mike Salvatore c9e59bd266 Agent: Refactor Log4Shell LDAP server to avoid race condition
A race condition existed between the time when the LDAP server was
instructed to start and the first exploit was sent to the victim.
Sometimes, the first exploit would be sent before the LDAP server
finished starting, resulting in failed exploitation.

To remedy this, the LDAPExploitServer.run() function now blocks until
the server has successfully started. Once the server has started,
LDAPExploitServer.run() returns. This allows the caller to have
confidence that the LDAP server is running after LDAPExploitServer.run()
returns and alleviates the need to sleep in order to avoid the race
condition.
2022-01-14 09:43:14 -05:00
Mike Salvatore d5e05d7885 Agent: Change log level of Log4Shell HTTP startup message to INFO 2022-01-14 09:31:25 -05:00
vakarisz be79f2bcdb BB: add log4j machines to gcp machine list 2022-01-14 14:51:18 +02:00
vakaris_zilius 9f5034a8e5 Agent: fix race condition between ldap server and malicious requests 2022-01-14 12:24:58 +02:00
Ilija Lazoroski b94c8e54e2 Agent: Remove POC Docker Service 2022-01-13 16:59:22 +01:00
Ilija Lazoroski c2db37df1e Agent: Use dropper for Log4Shell 2022-01-13 16:55:45 +01:00
Mike Salvatore 29ea2a961c Docs: Some small tweaks to the Log4Shell documentation 2022-01-13 09:40:59 -05:00
vakarisz a7b31dd9e4 BB: add log4shell BB tests 2022-01-13 16:11:10 +02:00
Mike Salvatore a9d735593c Agent: Wrap log4shell exploiters in a try/except 2022-01-13 08:58:25 -05:00
Mike Salvatore 6b934d6de5 Agent: Wrap log4shell LDAP server in a process
A Twisted reactor can only be started and stopped once. It cannot be
 restarted after it has been stopped. To work around this, the reactor
 is configured and run in a separate process. This allows us to run
 multiple LDAP servers sequentially or simultaneously and stop each one
 when we're done with it.
2022-01-13 08:58:25 -05:00
vakarisz aef7beedb3 Zoo: add logstash machines that test log4shell 2022-01-13 12:42:03 +02:00
Mike Salvatore 24e891d8a8 Agent: Fix formatting of web_rce.py 2022-01-12 19:44:46 -05:00
Mike Salvatore 6fa1d20e6a Agent: Add _initialize_http_handler() to ExploitClassHTTPServer 2022-01-12 19:27:51 -05:00
Mike Salvatore 176177b8cb Agent: Use threading.Event() in ExploitClassHTTPServer instead of bool 2022-01-12 19:21:12 -05:00
Mike Salvatore a3cc641101 UT: Add unit tests for ExploitClassHTTPServer 2022-01-12 19:21:10 -05:00
Mike Salvatore c2f3042442 Agent: Move definition of exploit template constants for log4shell
The LINUX_EXPLOIT_TEMPLATE_PATH and WINDOWS_EXPLOIT_TEMPLATE_PATH are
not used in exploit_builder.py, and therefore have no reason to be
defined in this file. They are now defined in the __init__.py
2022-01-12 16:46:31 -05:00
Mike Salvatore 7733ec29ca Agent: Add source code for log4shell Java class templates 2022-01-12 16:41:57 -05:00
Mike Salvatore aa60313787 Agent: Remove commented out code in ExploitClassHTTPServer 2022-01-12 12:33:54 -05:00
Mike Salvatore 3bbf4f9ac6 Agent: Prefix private methods/variables with _ in Log4ShellExploiter 2022-01-12 12:23:44 -05:00
Mike Salvatore 8f53a5ccd0 Agent: Fix min_range in get_free_tcp_port()
get_free_tcp_port() effectively ignored the min_range parameter by using
min(1, min_range). This meant that min_range was always 1 (unless a
negative value was passed). As ports lower than 1024 are privileged on
Linux, this lead to the agent trying to bind to ports that it did not
have permission to. By using max(1, min_range), We insure that min_range
is always at least 1, but will still use the provided parameter (1024 by
default).
2022-01-12 12:20:32 -05:00
Mike Salvatore 16219b714b Agent: Extract Java exploit HTTP server into its own module 2022-01-12 12:11:20 -05:00
Mike Salvatore b72ad39aa6 Agent: Invoke reactor.stop() with reactor.callFromThread() 2022-01-12 10:53:10 -05:00
Shreya Malviya 7fae22e993 Docs: Add Log4Shell exploiter page 2022-01-12 14:29:38 +05:30
Shreya Malviya f8ac13c164 Island: Add info about Log4Shell to config schema 2022-01-12 14:05:17 +05:30
Mike Salvatore c51be159b6 Agent: Use classmethods to improve readability of HTTPHandler 2022-01-11 13:08:32 -05:00
Mike Salvatore b79bf96359 Agent: Don't install signal handlers in LDAPExploitServer
This avoids exceptions that are raised when the LDAPExploitServer is not
started on the main thread.
2022-01-11 12:54:53 -05:00