Exploiting Log4j

by Vince
in Blog
Hits: 227

A few days ago, the world caught on fire with a new vulnerability in Log4j.  Currently, to see the extent of the attack surface, you can view this list on Github.

CVE-2021-44228

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

There are a number of resources regarding the exploit but I wanted to see what it looked like firsthand.  

We scan our target with Nmap:



We find port 8983 which appears to be Apache Solr.  Digging in:



Confirmed.  And confirmed...



Looking further on the page, we see a reference to Log4j:



Looking at the logs on the server:



And digging a little deeper, we find our path and our entry point:

Testing whether or not we can get it to call out.  Also note, we need to escape the open and close brackets:



With our handler setup:



We successfully called out.  Now to weaponize it:



Compiling our exploit:



Using the Marshelsec LDAP referral server:



Hosting the compiled exploit:



And finally, making our malicious request:

With our handler setup, we catch the inbound shell: