## https://sploitus.com/exploit?id=DBBD6963-3870-5117-A829-3DE976AE90E2
# CVE-2021-44228-POC
Yet another CVE-2021-44228 POC
Affected Log4j versions: from 2.0-beta9 up to 2.14.1
## Prerequisites
Used Java: OpenJDK 11
- https://jdk.java.net/archive/
Maven required to build apps in this repo (alternatively, download prepared jar files from release):
- https://maven.apache.org/
## Building & Running the projects
Directories description:
- jndi - project with JNDI LDAP Reference server
- web - project with vulnerable server
- provider - project with code compiler & server
- resources - directory for additional resources (like screenshots)
Build projects with:
```
mvn clean install
```
Run jars with:
```
java -jar <jar>
```
Files to run (these files will be generated in: <repo_name>/<project_name>/target):
- jndi-1.0.0-jar-with-dependencies.jar (run with: java -jar jndi-1.0.0-jar-with-dependencies.jar "http://127.0.0.1:8081/#Exploit")
- web-1.0.0.jar (run with: java -jar web-1.0.0.jar) - runs on port 8080
- provider-1.0.0.jar (run with: java -jar provider-1.0.0.jar) - runs on port 8081
***Alternatively build and run docker image - Docker section below Screenshots***
## Basic usage
0. Start all projects (as above)
1. Go to http://127.0.0.1:8081/
2. Copy exploit template and paste it in Java Code box
3. Go to vulnerable logger at: http://127.0.0.1:8080/
4. Copy payload from example and send it to the logger
5. Calc app should open (Windows). In case of Linux and Mac, empty file named "PWNED" should be created in \/tmp directory
## Description
Currently, the vulnerability can be exploited via:
- */logAction* -> post endpoint (triggers with payload in request headers or "payload" param)
- */logGetHeaders* -> get endpoint (trigger with request headers)
- */logPut* -> put endpoint (trigger with request headers or request body)
- */logDelete* -> delete endpoint (trigger with request headers or request body):
## Screenshots
Java version:\
![Java version image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/javaVer.png)
Exploit preparation + Compilation + Serving class file:\
![Exploit preparation image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/provider.png)
Payload (to be delivered to log4j) preparation + Sending the payload:\
![Payload image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/web.png)
JNDI Reference:\
![JNDI Reference image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/jndiRef.png)
Exploitation result (Windows):\
![Exploitation result (win) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_win.png)
Exploitation result (GNU/Linux):\
![Exploitation result (lin) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_lin.png)
## Docker
You can also build docker image with Dockerfile located in main repo directory.
Instructions:
```
docker build . -t log4j_vuln
docker run -p 8080:8080 -p 8081:8081 log4j_vuln
```
To find CONTAINER_ID:
```
docker ps
```
To see exploitation result (inside container):
```
docker exec -it <CONTAINER_ID> bash
ls -la /tmp
```
Kill docker container with:
```
docker container kill <CONTAINER_ID>
```
## Disclaimer
Code presented in this repository is intended to be used **FOR EDUCATIONAL PURPOSES ONLY**.\
I do not aid, or endorse any malicious usage of data from this repository.
Additionally, code in this repository is shared on an 'AS IS' BASIS - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.
## More information
https://www.lunasec.io/docs/blog/log4j-zero-day/