The GetLog4jExploitPayload (beta) is a tool whose purpose is to download java classes (payloads) referenced by Log4Shell JDNI addresses. It may be useful for research and incident response analysis.

Log4Shell is the name given to a vulnerability affecting Log4Shell (CVE-2021-44228). The vulnerability is associated with the Log4j JNDI lookup feature, which on versions <= 2.14.1, by default creates objects of the class returned by the lookup operation. There are many good references for the vulnerability including Log4Shell Followup and RCE in log4j from SANS, Lunasec, Reddit and MorphusLabs (in Portuguese).

git clone https://github.com/morphuslabs/get-log4j-exploit-payload
cd get-log4j-exploit-payload
javac GetLog4jExploitPayload.java
mkdir <output-dir>
java GetLog4jExploitPayload <ldap address> <output-dir>

Do not include the "jndi:" on the address parameter. Pass just the ldap or rmi address.

mkdir payloads
java GetLog4jExploitPayload ldap://127.0.0.1:1389/a payloads
Referenced class: http://127.0.0.1:8888/MyExploit.class
Retrieving payload...done.

ls payloads/
MyExploit.class.dump

As the next step, you could use a Java decompiler as FernFlower to analyze the payload.

Use at your own risk.

Good luck!