Custom Metasploit Module for Log4Shell Scanner

In this article, we will discuss a customized Metasploit module I wrote for scanning applications vulnerable to Log4Shell as well as how you can further customize it to suit your needs.

There is already an existing scanner available for this which you can find on metasploit-framework GitHub.

You may ask why did I write a customized module despite the one that is available ? For starters, it’s a lot of fun. Also, I was already half-way writing the custom module before I found the available one. I figured I might as well keep the part of the code that works best for me.

Loading The Module

It is very easy to load custom modules in metasploit as shown in the steps below. You can follow steps in this article to get better understanding of it.

The code for customized_log4jshell_scanner.rb can be found here.

root@kali# mkdir -p /root/.msf4/modules/auxiliary/scanner/log4j/
root@kali# cp <custom-log4jshell-scanner-path>  /root/.msf4/modules/auxiliary/scanner/log4j/customized_log4jshell_scanner.rb
root@kali# msfconsole
metasploit-shell > use auxiliary/scanner/log4j/customized_log4jshell_scanner

Setting The Module Options

The module has multiple options. We will discuss the ones that are most likely to be used.

ExternalIP

This is the IP you want the LDAP callback for. It will be used in payload. This option was added to supplement the situation where external IP would be different from host IP ( i.e. AWS ).

It doesn’t have to be external IP though. ( I know …. could have named this parameter better ) You can even use the internal IP of attacker box as long as the victim can connect to that IP.

HTTP_METHOD

GET or POST

LDAP_TIMEOUT

How long metasploit will listen for callback

PARAMETER_NAME

You may encounter situation where you have to supply all the parameters in the request to successfully exploit the RCE. This option allows you to specify multiple parameters and it will send the payload in the first specified parameter.

RHOSTS & RPORT

Target Host(s) and Port. Obviously, you can set multiple RHOSTS to scan at scale.

SRVHOST , SRVPORT

This is the IP and Port to which metasploit server will bind the listener. ( Not to confuse SRVHOST with ExternalIP option which is what will be sent in the payload )

You may have to choose different SRVPORT ( or exit metasploit ) every time you run the scanner. Will fix this as I improve this module. The trick is to use save command to reduce the annoyance.

TARGETURI

The URI you want to send the HTTP(S) request to.

Proof Of Concept (POC)

There is POC exploit code available on exploit-db if you want to better understand this vulnerability. You would still need a vulnerable application which you can find here.

The screenshots below shows the custom module scanning the vulnerable application as well as doing a mass scan of other IPs which may or may not have a web server running.

Scanning Vulnerable Application

Scanning Targets at Scale

Customizing The Module

You may end up writing your own module to meet your needs because this is a fairly new vulnerability and all the plugin modules for different scanners out there are still work in progress.

Here are some things you can do to customize this code.

Adding More HTTP Methods

This module uses send_request_cgi which is in built function in metasploit. For now, I have only allowed to send GET and POST requests.However, You can choose a different function to use as well as add more HTTP METHODS on top of this. You can find more information here.

You can also add better parameter handling to make requests look more realistic. i.e. if one of the variables in the form you are posting is phone-number, it populates it with random 10 digit number along with payload in one of the other variables.

Saving the Output

This functionality will be added as I improve this module but simply adding ruby commands of writing output to disk can do the trick.

Getting that Shell

This module uses RCE to scan if the application is vulnerable or not. If you are a ruby ninja, you can take this further to get a reverse shell.

Additional Resources

If you are looking for additional information on how to write a custom metasploit module, check out these resources :

• https://adfoster-r7.github.io/metasploit-framework/
• https://rapid7.github.io/metasploit-framework/api/
• https://www.offensive-security.com/metasploit-unleashed/building-module/

In Conclusion

We discussed how we can use custom module to scan for Log4Shell as well as customize it to meet our needs. Leveraging MetaSploit’s APIs and resources mentioned above can make it fairly easy to write custom plugins when the next Log4Shell comes out.

CREDITS

I would like to thank zeroSteiner whose metasploit module is already merged in the master branch. Without going through some of that LDAP request handling code , it would have taken me longer to write this module.