An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228

Related tags

Spring Boot evil-rmi-server
Overview

evil-rmi-server

An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228 in a local privesc scenario

Build

./gradlew bootJar

Run

Usage: java -jar build/libs/evilRMIServer-1.0-SNAPSHOT.jar [-hV] [-p=<port>]
       <cmd>
An evil RMI Server to help construct and run an arbitrary command.
      <cmd>           The Command to run. Wrap in quotes if there are spaces.
  -h, --help          Show this help message and exit.
  -p, --port=<port>   The port to listen on
  -V, --version       Print version information and exit.
You might also like...

This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Jun 30, 2022

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Jan 5, 2023

Vulnerability CVE-2021-44228 checker

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228. This is a PoC that only displays strings without any exte

Nov 9, 2022

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

Dec 23, 2021

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

Dec 2, 2022

An agent to hotpatch the log4j RCE from CVE-2021-44228.

Log4jHotPatch This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the lookup() method of all loaded

Dec 13, 2022

Java library to launch external processes

ch.vorburger.exec If you like/use this project, a Star / Watch / Follow me on GitHub is appreciated! This project is a small library allowing to launc

Sep 7, 2022

CVE-2021-2109 && Weblogic Server RCE via JNDI

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Nov 21, 2022
Comments
  • incompatible serialVersionUID

    incompatible serialVersionUID

    When exploiting a vulnerable app where I can control the lookup payload

    new InitialContext().lookup(payload)

    I get the following error:

    local class incompatible: stream classdesc serialVersionUID = 1, local class serialVersionUID = -7048783088944819197

    I tried several things so far but can't seem to find the root cause of the problem.

    Any ideas?

    Thank you

    opened by bananabr 0
Owner
Adam Bertrand
Adam Bertrand
GitHub
Log4j CVE-2021-44228 examples: Remote Code Execution (through LDAP, RMI, ...), Forced DNS queries, ...

Log4j CVE-2021-44228 and CVE-2021-45046 Requisites Use a vulnerable JDK, for instance JDK 1.8.0_181 Usage Malicious server The malicious server deploy

Manuel Álvarez Álvarez 5 Feb 7, 2022
log4j2 Log4Shell CVE-2021-44228 proof of concept

Log4Shell CVE-2021-44228 proof of concept Requirement Java (JDK/JRE) 8 or later version curl exploitable Simple spring boot application that serves a

Seshu Pasam 2 Dec 21, 2021
Small example repo for looking into log4j CVE-2021-44228

log4j CVE-2021-44228 Lame useless repo to look into log4j CVE-2021-44228. Setup The repository contains a .idea/ folder which is a IntelliJ IDEA proje

null 65 Dec 13, 2022
Scan and patch tool for CVE-2021-44228 and related log4j concerns.

A Log4J2 CVE-2021-44228 Vulnerability Scanner and Patcher Links to download the latest version: Linux x64 with glibc2.17+ (RHEL7+) Windows & all other

SAS Software 33 Jun 1, 2022
A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Koupa Taylor 4 Jan 4, 2022
Log4J CVE-2021-44228 Minecraft PoC

CVE-2021-44228 in Minecraft Java 16 Paper server build #397 Minecraft 1.17.1 Exploitation In Java 16 only deserialization attacks work by default usin

myxl 5 Feb 15, 2022
CVE-2021-44228 - Apache log4j RCE quick test

Build ./build.sh Start log4j RCE Server ./start-log4j-rce-server.sh Test Run java -cp log4j-rce-1.0-SNAPSHOT-all.jar log4j Check if you get logs in ha

Jeffrey Li 3 Feb 1, 2022
Some tools to help mitigating Apache Log4j 2 CVE-2021-44228

JndiLookup Some tool to help analyzing Apache Log4j 2 CVE-2021-44228 This tool uses the "lookup" feature from log4j-2 to test against the JNDI vulnera

Daniel Fages 3 Dec 18, 2021
Test case to check if the Log4Shell/CVE-2021-44228 hotfix will raise any unexpected exceptions

Log4Shell Hotfix Side Effect Test Case I wanted to know if any ClassNotFoundException or similar unexpected exception is raised when one applies the C

Malte S. Stretz 3 Nov 9, 2022
A short demo of CVE-2021-44228

sample-ldap-exploit A short demo of CVE-2021-44228 Build $ mvn clean verify Run Attacker $ java \ -cp 'attacker/target/sample-attacker.jar:attacker

Philip Oswald 6 Oct 19, 2022