Add log4j exploiter

[mssalvatore]

Add an exploiter to exploit the new log4j vulnerabilities.

• Identify all related CVEs, choose which ones we'll exploit and which we'll ignore.
• Add test machines in GCP - some windows, some linux, multiple vulnerable application
• Simple POC that allows one agent to remotely launch another agent on the victim and know whether or not exploitation was successful
• Implement a new exploiter
• Add blackbox tests - @ilija-lazoroski @VakarisZ
• Add documentation - @shreyamalviya
• "Adapter was already registered" error - @mssalvatore
• Code review - @shreyamalviya
• Investigate if monkey agent freezes on victim machines
• Re-generate logstash and tomcat images @ilija-lazoroski
  • Logstash
  • Tomcat
• Recompile Linux and Windows java class templates from source (ensure they don't contain anything malicious) - @mssalvatore/ / @VakarisZ

[ilija-lazoroski]

There are only two CVEs in exploit-db. CVEdetails shows 3 which one of them is DoS.

Information disclosure: https://www.exploit-db.com/exploits/50590
RCE: https://www.exploit-db.com/exploits/50592

Out of which I think we will want to use the RCE one. The POC as well as some vuln applications are in https://github.com/kozmer/log4j-shell-poc .

List of affected apps: https://www.cvedetails.com/cve/CVE-2021-44228/

Another enormous list of vuln software and advisores: https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

As @VakarisZ stated we may have some vuln machines in GCP but we can add new ones let say with Minecraft installed :)

[mssalvatore]

Released in v1.13.0