Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/Apipia/log4j-pcap-activity
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)
Readme
# log4j-pcap-activity
A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)

## Instructions
Open wireshark and import the PCAP located in this repository: [log4j-exploit.pcap](https://github.com/Apipia/log4j-pcap-activity/blob/main/log4j-exploit.pcap).   
Looking at the packets, answer the following questions.

## Questions

### Easy
1. **Which Packet numbers contain a TCP 3-way-handshake?**.  
_hint: There are 9 of them._

2. **For the first handshake, which server ip and port is establishing a connection with which other server ip and port?**  

3. **For the second?**

4. **What service is associated with the destination port?**

5. **For the third?**  

6. **Looking at the first 4 packets, what can we determine is the type of service running on 172.14.141.132:8080?**

7. **Looking at the 4th packet, what header contains the payload for Log4shell (CVE-2021-44228)?**

8. **Looking at the first 4 packets, what is the first step of the exploit?**

9. **Which packet contains the reply to packet 4?**

### Hard
1. **What is the ip-address of the vulnerable server? What is the ip-address of the attacking machine?**

2. **After recieving the initial payload in packet 4 and recieving the ACK packet, packet 5, what action does the vulnerable server take next?**

3. **Which packet from the attacking machine contains the information to redirect the vulnerable server?**

4. **Looking at this same packet, what is the name of the javaClass we are loading?**

5. **What is the name of the javaFactory?**

6. **What does the vulnerable server do next? (Starting at packet 18)**

8. **What packet contains the RCE that is sent to the server?**

9. **Looking at this packet's 'data', what might be the RCE command sent to the vulnerable server?**

10. **What is the order of establishing and finishing connections with the services and ports on each machine?**

11. **What type of service is running on each of the following ports**:
  -  172.16.141.132:8080
  
  -  172.16.141.131:1389
  
  -  172.16.141.131:8180


### Summary
Now that you have answered the above questions, summarize the steps of the exploit takes as it runs.
ex. First, a http request is sent to the server containing...
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →