├── GetLog4jExploitPayload.java └── README.md /GetLog4jExploitPayload.java: -------------------------------------------------------------------------------- 1 | import javax.naming.InitialContext; 2 | import java.io.FileOutputStream; 3 | import javax.naming.Reference; 4 | import java.io.BufferedInputStream; 5 | import java.io.IOException; 6 | import java.net.URL; 7 | import java.io.File; 8 | 9 | public class GetLog4jExploitPayload { 10 | 11 | public static void main(String[] args) throws Exception 12 | { 13 | 14 | if (args.length < 2) 15 | { 16 | System.out.println("Error: please, provide the ldap/rmi address and the output-dir parameters."); 17 | System.out.println("Example: java GetLog4jExploitPayload ldap://127.0.0.1:1389/a payloads"); 18 | System.exit(1); 19 | } 20 | 21 | InitialContext ctx = new InitialContext(); 22 | Reference res = (Reference)ctx.lookup(args[0]); 23 | 24 | String payloadAddress = res.getFactoryClassLocation() + res.getFactoryClassName() + ".class"; 25 | System.out.println("Referenced class: " + payloadAddress); 26 | 27 | System.out.print("Retrieving payload..."); 28 | 29 | try (BufferedInputStream in = new BufferedInputStream(new URL(payloadAddress).openStream()); 30 | FileOutputStream fileOutputStream = new FileOutputStream(args[1] + File.separator + res.getFactoryClassName()+".class.dump")) 31 | { 32 | byte dataBuffer[] = new byte[1024]; 33 | int bytesRead; 34 | while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) 35 | { 36 | fileOutputStream.write(dataBuffer, 0, bytesRead); 37 | } 38 | } catch (IOException e) 39 | { 40 | // handle exception 41 | } 42 | 43 | System.out.println("done."); 44 | 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GetLog4jExploitPayload 2 | 3 | The **GetLog4jExploitPayload** (beta) is a tool whose purpose is to download java classes (payloads) referenced by Log4Shell JDNI addresses. It may be useful for research and incident response analysis. 4 | 5 | **Log4Shell** is the name given to a vulnerability affecting Log4Shell (CVE-2021-44228). The vulnerability is associated with the Log4j JNDI lookup feature, which on versions <= 2.14.1, by default creates objects of the class returned by the lookup operation. There are many good references for the vulnerability including [Log4Shell Followup](https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/) and [RCE in log4j](https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/) from SANS, [Lunasec](https://www.lunasec.io/docs/blog/log4j-zero-day/), [Reddit](https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/?utm_source=share&utm_medium=ios_app&utm_name=iossmf) and [MorphusLabs](https://morphuslabs.com/log4shell-vulnerabilidade-cr%C3%ADtica-afeta-biblioteca-log4j-urgente-378dd9af4b88) (in Portuguese). 6 | 7 | ### Usage 8 | 9 | ``` 10 | git clone https://github.com/morphuslabs/get-log4j-exploit-payload 11 | cd get-log4j-exploit-payload 12 | javac GetLog4jExploitPayload.java 13 | mkdir 14 | java GetLog4jExploitPayload

15 | ``` 16 | 17 | Do not include the "jndi:" on the address parameter. Pass just the ldap or rmi address. 18 | 19 | ### Example 20 | 21 | ``` 22 | mkdir payloads 23 | java GetLog4jExploitPayload ldap://127.0.0.1:1389/a payloads 24 | Referenced class: http://127.0.0.1:8888/MyExploit.class 25 | Retrieving payload...done. 26 | 27 | ls payloads/ 28 | MyExploit.class.dump 29 | ``` 30 | 31 | As the next step, you could use a Java decompiler as [FernFlower](https://github.com/fesh0r/fernflower) to analyze the payload. 32 | 33 | **Use at your own risk.** 34 | 35 | Good luck! 36 | 37 | --------------------------------------------------------------------------------