漏洞平台

POC详情： a1a2b94632726e9a517bf30468ad2696ffbbb875

来源

https://github.com/Apipia/log4j-pcap-activity

关联漏洞

标题： Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述：Apache Log4j是美国阿帕奇（Apache）基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞，攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器，当该请求被打印成日志时就会触发远程代码执行。

描述

A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)

介绍

# log4j-pcap-activity
A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)

## Instructions
Open wireshark and import the PCAP located in this repository: [log4j-exploit.pcap](https://github.com/Apipia/log4j-pcap-activity/blob/main/log4j-exploit.pcap).   
Looking at the packets, answer the following questions.

## Questions

### Easy
1. **Which Packet numbers contain a TCP 3-way-handshake?**.  
_hint: There are 9 of them._

2. **For the first handshake, which server ip and port is establishing a connection with which other server ip and port?**  

3. **For the second?**

4. **What service is associated with the destination port?**

5. **For the third?**  

6. **Looking at the first 4 packets, what can we determine is the type of service running on 172.14.141.132:8080?**

7. **Looking at the 4th packet, what header contains the payload for Log4shell (CVE-2021-44228)?**

8. **Looking at the first 4 packets, what is the first step of the exploit?**

9. **Which packet contains the reply to packet 4?**

### Hard
1. **What is the ip-address of the vulnerable server? What is the ip-address of the attacking machine?**

2. **After recieving the initial payload in packet 4 and recieving the ACK packet, packet 5, what action does the vulnerable server take next?**

3. **Which packet from the attacking machine contains the information to redirect the vulnerable server?**

4. **Looking at this same packet, what is the name of the javaClass we are loading?**

5. **What is the name of the javaFactory?**

6. **What does the vulnerable server do next? (Starting at packet 18)**

8. **What packet contains the RCE that is sent to the server?**

9. **Looking at this packet's 'data', what might be the RCE command sent to the vulnerable server?**

10. **What is the order of establishing and finishing connections with the services and ports on each machine?**

11. **What type of service is running on each of the following ports**:
  -  172.16.141.132:8080
  
  -  172.16.141.131:1389
  
  -  172.16.141.131:8180


### Summary
Now that you have answered the above questions, summarize the steps of the exploit takes as it runs.
ex. First, a http request is sent to the server containing...

文件快照


 [4.0K]  /data/pocs/a1a2b94632726e9a517bf30468ad2696ffbbb875
├── [5.2K]  log4j-exploit.pcap
└── [2.2K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。