How Hackers Exploit Log4J to Get a Reverse Shell (Ghidra Log4Shell Demo) | HakByte

Подписаться 928 тыс.

Просмотров 225 тыс.

50% 1

On this episode of HakByte, ‪@AlexLynd‬ demonstrates a Log4Shell attack against Ghidra, and shows how a reverse shell can be established on compromised systems running the vulnerable Log4J Java framework.
This framework runs on millions of Java powered devices and was recently exploited, exposing a dangerous vulnerability that uses a single line of code to hack vulnerable systems.
Links:
Ghidra 10.0.3 Download: github.com/NationalSecurityAg...
Log4Shell Demo: github.com/kozmer/log4j-shell...
Alex's Twitter: / alexlynd
Alex's Website: alexlynd.com
Alex's GitHub: github.com/AlexLynd
Alex's RU-vid: / alexlynd
Chapters:
Intro ‪@AlexLynd‬ 00:00
What is Log4J? 00:16
Log4Shell Exploit Explained 00:40
Vulnerable Programs 01:11
Set up the Log4Shell Demo 02:33
Create a Webserver 03:11
Netcat Reverse Shell Listener 04:01
Set up Log4Shell Demo 05:01
Log4Shell String Explained 05:45
Ghidra Setup 06:24
Log4Shell Attack Demo 07:01
Netcat Reverse Shell 07:39
Outro 08:00
Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Our Site → www.hak5.org
Shop → hakshop.myshopify.com/
Subscribe → ru-vid.com...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.

Наука

Опубликовано:

4 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 188

@cronus663 2 года назад

I don't know what surprises me the most, the vulnerability itself, being that easy to explore, or how long it was unknown by the industry and community

@TheBenJiles 2 года назад

Yes.

@melphiss 2 года назад

This is what happens when frameworks add pointless features that nobody, apart from hackers, uses

@melphiss 2 года назад

@UCiuMGUP-oDMz4lYat6Jh8ZQ I truly hope it was a brilliant hacker to turn a logging system into a widespread telnet

@joshallen128 2 года назад

But it is free software library under the Apache license which can be modified

@Johanthegnarler 2 года назад

It happens, been in the industry for 10ish years now and this is one of many i've had to deal with for massive companies. This isn't even the worst one lol, but is more wide spread.

@YISTECH 2 года назад

“It ain’t gonna be that easy” *“It’s that easy.”*

@Ronoaldo 2 года назад

That was an amazing easy to follow up video. Congrats!

@jmr 2 года назад

Great and timely video! I'm seeing a lot of problems relating to the updates today...... More accurately the same problem with the same update from different users.

@bluegizmo1983 2 года назад

What's scary is that this RCE is so incredibly easy to do, and it's attacking something that is so widely used, you just know people had to have been using it for years without people knowing it! This kind of RCE is literally a once in a decade kind of find. Log4J is ran on so many things, it is impossible that they will all get patched, so this RCE will be valid for a long time to come.

@threepe0 2 года назад

There have been three other extremely dangerous but less-publicized vulnerabilities that are similar on a somewhat less ubiquitous piece of software. I get the feeling “once in a decade” is quickly going to turn into “once every six months” then “once in a quarter”

@natewesselink 2 года назад

Been dealing with this all week at work. Its an easy enough fix but its just a pita to do all of em manually till they patch it in software

@synack2165 2 года назад

Right there with you. Tired of seeing this vuln. Work in a SOC and over it already. Reminds me of when I first started when its was all about WannaCry.

@ryanr780 2 года назад

Honestly, this week was filled with frustration and copious amounts of caffeine.

@mrgoatbeard 2 года назад

Luckily only had one application running it with no ability to access input without being an authorize user with certificate credentials...regardless, was not too bad of a fix for having to deal with only one instance. Feel for ya though keep at it.

@ABUNDANCEandBEYONDATHLETE 2 года назад

Easy * every single vulnerable service, app, Network infra, server.... If your a big company your IT teams have been tired this week and next patching as fast as the patches get announced and released.

@superkool7 2 года назад

Im jealous you guys have to fight this! Everyone is like “man this sucks” but I’m like “man I wish I had to deal with this” lol hope thats me someday :)

@aguadecanilla 2 года назад

I dont know how to thank you for this explanation, it was really hard to get what's going on, mostly on work where everyone is freaking out with this, now i have a more realistic understanding of the dangers of this CVE... Thanks a lot!

@FawadBilgrami 2 года назад

Timely post!!

@npz1838 2 года назад

I can't wait to explore this in my own home lab. It's insane how easy this exploit is and how prevalent this vulnerable application is.

@Xnand 2 года назад

'home lab' :P

@YuanLiuTheDoc 2 года назад

I am curious what other triggers/codes are needed for this Ghidra server to be vulnerable. I notice that Qualys only marks log4j-core and log4j-api libraries; if a deployment only includes plain jar of log4j, Qualys will ignore it no matter the version.

@KangoV 2 года назад

What companies allow access to unknown LDAP/LDAPS servers through their firewalls? This is the biggest security risk.

@stunningride6073 2 года назад

So much this. An aspect which seems to be always forgotten among all that Log4J/Java-Rants. This exploit is basically a lackmus-test for all that infrastructure people with all their shiny 'DevOps'-tools. If everyone did their homework, this is nothing else like every other exploit.

@tyaprak 2 года назад

The request is made by an java application, most likely pass through firewall. By the way, you don't have to use ldap, you can choose another jndi lookup method.

@robvercouteren 2 года назад

nice video demo Alex. It would be cool if a line or two would be dedicated to see what shows up in the logfile (assuming that your logfile will not be destroyed by the Exploit) detecting this in the logile is not so straightforward(depending on the application)

@sk8erfreak540 2 года назад

Great explanation. Good video. Spidey approves

@themistoclesnelson2163 2 года назад

Enjoyed the table slap!

@terry.digital 2 года назад

Solid work!

@juliusrowe9374 2 года назад

Great tutorial Alex! The volume of vlog sounded a little low though.

@rboes208 2 года назад

Thank you so much for this!

@luizhenrique4750 2 года назад

Great video!

@jonathanmcneill4993 2 года назад

I could be mistaken but this looks like Oracle, who makes Java, failed to do input validation. Which is supposed to be a kind of security standard.

@russell28533 2 года назад

At the zoom in, Lynd should have said "because crimes are illegal" and wink with that "ding" sound you hear when the answer is right.

@diegodevops4151 2 года назад

Nooo! but yes! but Nooo! He was trying not to laugh.

@alexandernguyen-phuoc8579 2 года назад

needed this video cause the hack the box walkthrough for Archetype was too big brain to understand well

@TamTam-tg3td 4 месяца назад

thank you so much alex this topic is my project and my gatepass to be part of cyber security team, im suppose to report and replicate log4j attack but no luck in replicating using the minecraft but this definitely is the easiest and safest way. thank you you just save my career. God bless

@mehdiarmachi9381 2 года назад

So you're telling me log4j downloads unknown code from any LDAP server and executes it... why would they do that ?!

@jakubsikorski4776 2 года назад

So it can log the result, still pretty dumb though

@dalixman2754 2 года назад

Easy to do in the lab, much harder in practise. Essentially you need a very weak target system.. that said there are probably plenty of those out there...

@threepe0 2 года назад

ldap isn't required, and it's funny that he describes it as he does. Ldap is an authentication server, it's not to "send data" anywhere. Log4j simply logs incoming data, and the string escapes out of the "log this sanitized string" logic and ends up instead being executed. This sort of thing is actually pretty common.

@pranava__rao 2 года назад

Is there any writeups that you can share regrading Log4j Vulnerability?

@guy6311 2 года назад

Can you still do any of this without LDAP installed? Is that installed by default and always on? If it is not installed woudl I still be vulnrable?

@deathcoder 2 года назад

I like the last statement. “Crimes are illegal” 😛

@natetolbert3671 2 года назад

What is the user mode in the remote process that executes the payload? I'm guessing it depends on the server and how the devs of that particular host app decided to implement Log4j? **To anybody who has ever noticed that the Linux norm of giving every context/app/process the weakest file mode (i.e. the 3 digit number you pass to chmod) that it could possibly get away with, and thought to themselves "...but is it really all that necessary?"** NOW YOU KNOW.

@carefreetraveller 2 года назад

Awesome!

@tonychase8405 2 года назад

It’s a lot to deal with, getting to everyone before the holidays.

@TheOriginalDJMrVee 2 года назад

Good vid.

@ziadfawzi Год назад

Thank you

@skepticalmind2260 2 года назад

Really strange design decision for a logger, it must be a well-designed backdoor.

@AmxCsifier 2 года назад

the feature request dates back to July 2013. Live overflow talked about it

@gg-gn3re 2 года назад

It's java, so it's definitely a feature

@AmxCsifier 2 года назад

@@gg-gn3re It depends on how you look at it

@AmxCsifier 2 года назад

@@LabGecko I was joking too. If you're a hacker, it's definitely a feature.

@ahr0cdovlzk3my1lahqtbmftdw7 2 года назад

Why is the jdk not in the repo?

@BinalfewKassa 2 года назад

The background music is loud, please avoid using it or lower the volume at least. Other than that, its an awesome video!

@dalixman2754 2 года назад

Works fine when everything is on same vm..., not so much when you split it across 2. The exploit is trivial to attempt, but quite tricky to pull off.

@chigozie123 2 года назад

Don't you just love when a feature turns into a deadly bug? Feature creep at it's finest!

@aquadir2830 2 года назад

What are prevention action to be taken in network n security?

@mrgoatbeard 2 года назад

if the devs want to continue using log4j v2.15+ disables the ability to run remote queries by default and just logs data unless you turn it back on...most apps though are just switch away from log4j core files. The only log4j files this effects are v2.0-2.14...had to do some research yesterday to harden a few things at work.

@syedoffice1966 2 года назад

Don't know how many similar vulnerabilities still exists but undiscovered by majority..

@chigozie123 2 года назад

Someone correct me if I'm wrong, but this only works if you know the location of the JNDI server the application is using AND you know that the application logs arbitrary user input?

@shoebkhan6304 2 года назад

If you know the application is using Log4j for logging, the server is your server where you store the malicious code and the path to the server is forwarded to the application as an argument using JNDI

@imaitchoukow 2 года назад

great video, audio output is low

@shawngee1 Год назад

Ghidra is not loading. Producing a JRE not found error. Any ideas? Have even placed JRE into the Ghidra folder.

@endlessoul 2 года назад

Time to don the Grey Hat

@BD90.. 2 года назад

That's interesting

@rywolf01 2 года назад

Reverse engineering at its best. Good video.

@salmankhan-yp7ti 2 года назад

i just wana say thankyou

@sundarraj6644 2 года назад

How to find the target java version someone?

@87vortex87 2 года назад

Pfff, been scanning multiple applications all week to check for this. Luckily non have public endpoints but still, I don't want to rely on other measures to be safe, and which I'm not the owner of.

@1995261josh 2 года назад

When I cloned the repository it didn't give me the jdk 1.8.0_20 folder and I'm having a hard time finding it outside.

@evanriggs1381 2 года назад

Same

@alexrivet1732 2 года назад

Go to the repository. It's all linked there

@pilgrim3541 2 года назад

this is actually easy to have survived this long

@onlyyou200548 2 года назад

if your app runs inside a kubernetes pod, does that app suffer from this kind of attack?

@mrgoatbeard 2 года назад

I would search up all your core files to look for any log4j-core files...if they are there and v2.0-2.14 then yes you are vulnerable to attack.

@danishnafis4985 2 года назад

One more point is if your application logging the user input directly then yes you are vulnerable to attack

@jcamp9381 2 года назад

Are "we going to ahead and".... Shots everytime he says it

@sreejachowdary8346 2 года назад

Can’t we do it on windows??

@hex3n 2 года назад

Hehe, I think it's funny that you're using Ghidra to demo this and it's also vulnerable to Log4Shell :-)

@kishorebolt3065 2 года назад

Nice

@itschriscash 2 года назад

Would be nice is you actually showed you using the reverse shell and executing commands.

@masskiller9206 Год назад

dude .... its a shell... you just run any commands... figure it out

@MarsTheProgrammer 2 года назад

Cant get this to work on my current java version 11, it wants 1.8... i forgot how much java sucks! Haven't used it since university.

@ashlermusic 2 года назад

I am in the same situation, did you finally succeed to reproduce this POC ?

@jamespruett27 2 года назад

what human put that code in github?

@theys6837 2 года назад

I Luv Hak5

@ericdere 2 года назад

That is the S from SOLID

@agrodpodnk7054 2 года назад

Scary thing is you can just literally execute ransom ware just with java through a old version of minecraft java addition tbh isn’t log4j made out of java

@StrokeMahEgo 2 года назад

Time to hack the Mars rover

@baolamnguoi7181 2 года назад

ill use this for good if i can

@guidoms7 2 года назад

Hello, I am trying to work on this but I never get the reverse shell, any idea? Never creates the connection back... any help would be highly appreciate it.

@Roelox 2 года назад

The script is updated and doesn't work anymore with ghidra (I think). Check my video, maybe it can help u.

@guidoms7 2 года назад

@@Roelox do you have a new video? Is it possible to post in your blog the version that you used in the video? Thank you very much in advance

@Roelox 2 года назад

@@guidoms7 What do you mean by "version"? U can just follow the steps in the video and it should work. The link of github and java are in description.

@guidoms7 2 года назад

@@Roelox yeah I tried, but it did not work, it does not connect to nc, it is to create a demo for a local group but in Spanish

@Roelox 2 года назад

@@guidoms7 U got Discord?

@tensai235 2 года назад

The thing is many rce might be out there hackers are using and its still not knows to the mnc

@allegro1355 2 года назад

I bet this loophole was in use for a long long period of time and your personal information has been exposed to the bad guys. Just imagine your personal data, bank information, your internet activities, and etc.

@RJSF9 2 года назад

I broke the Java sandbox in a browser almost 20 years ago and barely knew what I was doing. I wanted access to the file system to read and write files and managed to do it by spawning a new thread which called back into the main process. Which somehow broke the sandbox security. Wonder how many other simple exploits are in the wild today.

@gg-gn3re 2 года назад

there were no sandboxed browsers & applets back then so no you didn't.

@hellosunny 2 года назад

China gov just punished Alibaba team reporting this vulnerability to Apache without its approval. All the opensources will face more stress on protect their integrity.

@joy_6.9 2 года назад

👍🏻🗡️

@amirajallouli7610 2 года назад

Why dont RU-vid take down your videos afterall you make very advanced hacking videos? :o

@renditionsofthefuture8815 2 года назад

Wow

@DO-fb5gb 2 года назад

I do not think ghidra is a local hosted server. I have been reading up on it and it is a public server.. almost executed the vuln on it...

@buckduff6003 2 года назад

dang my guy almost got 5 stars hacking the NSA

@DO-fb5gb 2 года назад

@@buckduff6003 hahaha yeah but actually bro, i spoke to someone with 10+ years of experience and was informed that ghidra actually runs on a local system... Ghidra description on their website is just confusing...

@christophmahler 2 года назад

*Why would a login form execute code* ? Unless it is 'not a bug, but a feature', _intended_ for that exact purpose of providing a comfortable *'backdoor'* to sensible user information, expecting the widespread integration of the shell in servers around the globe.

@danishnafis4985 2 года назад

This vulnerability only affect those application which are logging the user input directly

@christophmahler 2 года назад

@@danishnafis4985 "(...) *logging* the user input _directly_ (...)" Thanks for reply. Still, an user input form that acts de facto like a commandline doesn't look random, even if it is the effect of linking some other library or program for logging - what's the purpose of *_logging user input_* , anyway - if a form is either filled with _a proper input_ or otherwise it would simply trigger no reaction ?... It's like writing most simple code, but _design_ other functions than just to 'echo' or 'print' inputs unto the screen - is it not ? (one would have to look into the respective source code)... I assume the _abstraction_ level of cross-platform JAVA plays into that kind of obscurantism.

@dhanrajbharadwaj3891 2 года назад

He please can you give my few question answer

@rRobertSmith 2 года назад

Making reserved words in chat a simple cure?!

@janrynkevic377 2 года назад

I feel like I want to test this on some android phone

@The_One_0_0 2 года назад

Not smart lol

@kaigokumikanamo16 2 года назад

When i have that design in my computer... Im going to jail even i dont hackk

@cuzzywuzzyfuzzy 2 года назад

Is this beyond the average cyber security graduate

@JarppaGuru 2 года назад

name allready say why is it there. why log and let log run code what is was login. lol. i not get it

@patrickbick2064 2 года назад

I wish someone would hit area 51 with this :p

@Zmiggy77 2 года назад

If I understand this well, then it's actually not possible to hack a decent Web application. You can do this just on your laptop or on applications that have ZERO security measures. Could anyone explain how would you exploit a Java application that does not have an LDAP with malware on the same server where the application is running and if the application is running in a private subnet, behind firewalls or security groups? If my firewall/security group/NACL doesn't allow any outbound connection from the application to the Internet, then you can't really connect to anywhere using this hack and you can't install any malicious software on my server. I don't understand what kind of important applications are deployed on a Public network, with all outbound traffic to all ports and protocols allowed, and preferably the application is a full stack one. If your application is like that, if it is not secured at all, then log4j is your least problem actually. You have much bigger vulnerabilities then... I don't get this global panic about log4j... Or is it that I didn't get it at all? :)

@shibbyshaggy 2 года назад

I agree. i have yet to see a local window attack that running Java get an RCE. I think all this hype is for Minecraft. maybe a new game is going to be released soon. all these videos ppl post are just impractical in the real world or on a LAN where Java runs on everyone's laptop/PC. show that stuff. not this minecraft server crap.

@StrokeMahEgo 2 года назад

@@shibbyshaggy caves, cliffs, and log4j

@HomePremium-lh3hm 3 месяца назад

5:41

@sreejachowdary8346 2 года назад

Please reply fast I have a presentation and I chose this

@buckduff6003 2 года назад

Buck's here, what are we doing cowboy

@allthecommonsense 2 года назад

@@buckduff6003 lol

@unknown_3293 2 года назад

Its not illigal if you don't get cought

@Bm23CC 2 года назад

Its a feature added in 2013 not a hack.

@ryanr780 2 года назад

Lol if users complain tell them it's a feature

@tamilhuntergaming6094 2 года назад

Pegasus hacking video bro

@Rick-jf2ig 2 года назад

You know Pegasus isn't just available right? That's restricted stuff.

@mrbruh6687 2 года назад

@@Rick-jf2ig oh well i'm sure you can find it somewhere i know the malware zoo atleast has a sample of it and the apk

@midimusicforever 2 года назад

This is too easy.

@linguadesogra5287 2 года назад

ahahaha...epic ending

@ChunkyChest 2 года назад

im patched /o/

@JuanBotes 2 года назад

\o/

@_itscrisp 2 года назад

Killing is bad and wrong. There should be a new word. Killing is Badong

@dustinkrejci6142 2 года назад

learn java they said... whyyyyy?

@mmm6231 2 года назад

Pashmam

@buckduff6003 2 года назад

LET'S SEE THE BOIS 🦶🦶👁👄👁

@abwasserkapitan4178 2 года назад

I abused the Information in This video to her acces to many Systems

@EloyVeit 2 года назад

Let's hack the Mars Rover

@LecherousCthulhu 2 года назад

first

@drekenproductions 2 года назад

good thing nothing uses java

@zach4505 2 года назад

wow, script kiddies got Christmas early.

@danielmccann4055 2 года назад

Possibly , only possible mind you ,you may need to see a doctor. you appear to have swelling at the base of your neck. Probably not a serious thing but maybe get it checked anyway. Could just be a camera angle thing.

@buckduff6003 2 года назад

Are you a doctor?