Log4Shell fails due to bad-config

[Cx01N]

Steps to reproduce

How'd you do it?

1. Install latest version of Metasploit (v6.3.55)
2. Use the log4shell_header_injection module
3. Set the lhost, srvhost, and rhost
4. Run the module and get back the error

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

No

If yes link the guide/tutorial or documentation you were following here, otherwise you may omit this section.

Expected behavior

I tested the module on an older copy of log4shell with Metasploit v6.3.51 and was able to get the exploit to work.

What should happen?
The exploit should return a shell to the metasplit.

Current behavior

What happens instead?
The module reports "exploit aborted due to failure: bad config"

Metasploit version

Framework: 6.3.55-dev
Console : 6.3.55-dev

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/multi/http/log4shell_header_injection

[multi/http/log4shell_header_injection]
RHOSTS=10.10.0.94
SRVHOST=10.9.254.6
LHOST=10.9.254.6
WORKSPACE=
VERBOSE=false
WfsDelay=30
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
JavaCache=/root/.msf4/javacache
AddClassPath=
Powershell::persist=false
Powershell::prepend_sleep=
Powershell::prepend_protections_bypass=auto
Powershell::strip_comments=true
Powershell::strip_whitespace=false
Powershell::sub_vars=true
Powershell::sub_funcs=false
Powershell::exec_in_place=false
Powershell::exec_rc4=false
Powershell::remove_comspec=false
Powershell::noninteractive=true
Powershell::encode_final_payload=false
Powershell::encode_inner_payload=false
Powershell::wrap_double_quotes=true
Powershell::no_equals=false
Powershell::method=reflection
SRVPORT=389
ListenerBindAddress=
ListenerBindPort=
ListenerComm=
LDIF_FILE=
LdapServerUdp=true
LdapServerTcp=true
LDAP_AUTH_BYPASS=true
RPORT=80
VHOST=
SSL=false
Proxies=
UserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
HttpUsername=
HttpPassword=
HttpRawHeaders=
DigestAuthIIS=true
SSLVersion=Auto
FingerprintCheck=true
DOMAIN=WORKSTATION
HttpClientTimeout=
HttpTrace=false
HttpTraceHeadersOnly=false
HttpTraceColors=red/blu
SSLServerNameIndication=
HTTP::uri_encode_mode=hex-normal
HTTP::uri_full_url=false
HTTP::pad_method_uri_count=1
HTTP::pad_uri_version_count=1
HTTP::pad_method_uri_type=space
HTTP::pad_uri_version_type=space
HTTP::method_random_valid=false
HTTP::method_random_invalid=false
HTTP::method_random_case=false
HTTP::version_random_valid=false
HTTP::version_random_invalid=false
HTTP::uri_dir_self_reference=false
HTTP::uri_dir_fake_relative=false
HTTP::uri_use_backslashes=false
HTTP::pad_fake_headers=false
HTTP::pad_fake_headers_count=0
HTTP::pad_get_params=false
HTTP::pad_get_params_count=16
HTTP::pad_post_params=false
HTTP::pad_post_params_count=16
HTTP::shuffle_get_params=false
HTTP::shuffle_post_params=false
HTTP::uri_fake_end=false
HTTP::uri_fake_params_start=false
HTTP::header_folding=false
CheckModule=auxiliary/scanner/http/log4shell_scanner
HTTP_METHOD=GET
TARGETURI=/
HTTP_HEADER=
JAVA_GADGET_CHAIN=CommonsBeanutils1
HTTP_SRVPORT=8080
HttpListenerBindPort=
AutoCheck=true
ForceExploit=false
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
CreateSession=true
InitialAutoRunScript=
AutoRunScript=
CommandShellCleanupCommand=
AutoVerifySession=true

Database Configuration

The database contains the following information:

Collapse

Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse

104    version
105    set loglevel 3
106    search log4shell
107    use 0
108    options
109    set rhost 10.10.0.94
110    set srvhost 10.9.254.6
111    set lhost 10.9.254.6
112    run
113    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[02/14/2024 08:55:34] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 09:09:55] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:39:05] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:42:40] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:49:12] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:50:37] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 10:01:09] [e(0)] core: Failed to connect to the database: No database YAML file

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb:289:in `cmd_cat'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:160:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'
/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:574:in `_interact'
/usr/share/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1740:in `cmd_sessions'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:198:in `cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:35:in `with_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[02/13/2024 11:21:13] [w(0)] core: Session 2 has died
[02/14/2024 08:55:34] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 08:55:37] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[02/14/2024 08:55:37] [w(0)] core: The following modules could not be loaded!
[02/14/2024 08:55:37] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[02/14/2024 08:55:37] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[02/14/2024 08:55:37] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[02/14/2024 09:09:55] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:39:05] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:42:40] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:49:12] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 09:50:37] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 10:01:09] [e(0)] core: Failed to connect to the database: No database YAML file
[02/14/2024 10:02:32] [i(2)] core: Reloading exploit module multi/http/log4shell_header_injection. Ambiguous module warnings are safe to ignore
[02/14/2024 10:03:29] [i(2)] core: Reloading auxiliary module scanner/http/log4shell_scanner. Ambiguous module warnings are safe to ignore

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.3.55-dev
Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
OpenSSL: OpenSSL 3.1.4 24 Oct 2023
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[dwelch-r7]

@Cx01N could you run set AutoCheck false and try again? it looks like something is causing it to fail on the check method so if that works that would confirm where the issue lies

[Cx01N]

@Cx01N could you run set AutoCheck false and try again? it looks like something is causing it to fail on the check method so if that works that would confirm where the issue lies

Yup, that looks like where the issue is coming from.

[dwelch-r7]

Tracked down the issue to this code change here: https://github.com/rapid7/metasploit-framework/pull/18596/files#diff-23d2aec817fcb1bc81721d5ee0c240e2b088f2b2cd0158260bdd2387b803f8c5L11-R11

The change is actually fixing a bug which as it turns out happened to let this module run but since when we take a look at what's in this module's info['Stance'] we get "Stance"=>["aggressive", "passive"] which doesn't make any sense, I'm not sure at this stage what the correct fix is

[taha-ishaq]

Replaced || with && in the assignments for the self.passive attribute to avoid setting it to false when info['Passive'] is false

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[sempervictus]

Probably dont want to let this get closed as stale, that's a bug worth fixing

[dwelch-r7]

Probably dont want to let this get closed as stale, that's a bug worth fixing

My bad, assigned it to work on and didn't add the label