/CVE-2021-44228

CVE-2021-44228 demo webapp

Primary LanguageJava

CVE-2021-44228-POC

Yet another CVE-2021-44228 POC

Affected Log4j versions: from 2.0-beta9 up to 2.14.1

Prerequisites

Used Java: OpenJDK 11

Maven required to build apps in this repo (alternatively, download prepared jar files from release):

Building & Running the projects

Directories description:

  • jndi - project with JNDI LDAP Reference server
  • web - project with vulnerable server
  • provider - project with code compiler & server
  • resources - directory for additional resources (like screenshots)

Build projects with:

mvn clean install

Run jars with:

java -jar <jar>

Files to run (these files will be generated in: <repo_name>/<project_name>/target):

  • jndi-1.0.0-jar-with-dependencies.jar (run with: java -jar jndi-1.0.0-jar-with-dependencies.jar "http://127.0.0.1:8081/#Exploit")
  • web-1.0.0.jar (run with: java -jar web-1.0.0.jar) - runs on port 8080
  • provider-1.0.0.jar (run with: java -jar provider-1.0.0.jar) - runs on port 8081

Alternatively build and run docker image - Docker section below Screenshots

Basic usage

  1. Start all projects (as above)
  2. Go to http://127.0.0.1:8081/
  3. Copy exploit template and paste it in Java Code box
  4. Go to vulnerable logger at: http://127.0.0.1:8080/
  5. Copy payload from example and send it to the logger
  6. Calc app should open (Windows). In case of Linux and Mac, empty file named "PWNED" should be created in /tmp directory

Description

Currently, the vulnerability can be exploited via:

  • /logAction -> post endpoint (triggers with payload in request headers or "payload" param)
  • /logGetHeaders -> get endpoint (trigger with request headers)
  • /logPut -> put endpoint (trigger with request headers or request body)
  • /logDelete -> delete endpoint (trigger with request headers or request body):

Screenshots

Java version:
Java version image

Exploit preparation + Compilation + Serving class file:
Exploit preparation image

Payload (to be delivered to log4j) preparation + Sending the payload:
Payload image

JNDI Reference:
JNDI Reference image

Exploitation result (Windows):
Exploitation result (win) image

Exploitation result (GNU/Linux):
Exploitation result (lin) image

Docker

You can also build docker image with Dockerfile located in main repo directory. Instructions:

docker build . -t log4j_vuln
docker run -p 8080:8080 -p 8081:8081 log4j_vuln

To find CONTAINER_ID:

docker ps

To see exploitation result (inside container):

docker exec -it <CONTAINER_ID> bash
ls -la /tmp

Kill docker container with:

docker container kill <CONTAINER_ID>

Disclaimer

Code presented in this repository is intended to be used FOR EDUCATIONAL PURPOSES ONLY.
I do not aid, or endorse any malicious usage of data from this repository.

Additionally, code in this repository is shared on an 'AS IS' BASIS - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.

More information

https://www.lunasec.io/docs/blog/log4j-zero-day/