Documentation
¶
Overview ¶
This is an implementation of an evil JNDI LDAP server. The server accepts connections and returned a malicious serialized object in response to a search. Serialization is obviously native to Java. To work around this, we pre-serialized some gadgets that use Nashorn as their sink. The desired command is inserted into the pre-compiled gadget (and padded if needed). Not perfect, but not half bad, I think. Inspiration from:
* https://github.com/veracode-research/rogue-jndi * https://github.com/For-ACGN/Log4Shell * https://github.com/zzwlpx/JNDIExploit
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateLDAPServer ¶
func SetLDAPGadget ¶
func SetLDAPGadget(gadget GadgetName, binary string, lhost string, lport int, command string)
func SetLDAPHTTPClass ¶
func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost string, httpPort int)
Types ¶
type GadgetName ¶
type GadgetName int
mapping of available pre-serialized gadgets.
const ( // org.apache.naming.factory.BeanFactory + javax.el.ELProcessor#eval (windows + Linux). TomcatNashornReverseShell GadgetName = 0 // org.apache.naming.factory.BeanFactory + javax.el.ELProcessor#eval (linux only). TomcatGenericBash GadgetName = 1 GroovyGenericBash GadgetName = 2 // org.apache.naming.factory.BeanFactory. BeanUtils194GenericBash GadgetName = 3 // load class via an HTTP server. HTTPReverseShell GadgetName = 4 )
Source Files
Click to show internal directories.
Click to hide internal directories.