Share this page!

Aaditya Purani Profile picture
Twitter logo
13 Dec, 5 tweets, 3 min read
How to attack any JDK version for log4j "without" guessing classpath on server?

Try to exfiltrate the class path using ${sys:java.class.path} or ${env:CLASSPATH}.

What if it fails? Don't forget java. net.URL is serializable! You can bruteforce ClassName

github.com/BishopFox/Gadg…
So, the idea is to retrieve the remote Java ClassPaths using GadgetProbe.

It is trivial to create a serializable payload by iterating through commonly used classname signatures and use github.com/pimps/JNDI-Exp… to serve it.

This way you will know libraries used on classpath
But what if the remote server uses a library on classpath whose gadget chain is not present on YSOSerial?

Two things are possible
1.) Manual audit the library to find Gadget (Refer: synacktiv.com/publications/f… )

2.) Automate Gadget Discovery - github.com/JackOfMostTrad…

#log4shell
Also, a deserialization gadget in latest JRE version or log4j-core cannot be taken out of the equation.

That'd make this universal.

Similar to gist.github.com/frohoff/24af79…

github.com/frohoff/ysoser…
For those who are catching up - GadgetProbe utilizes this same fact as the tweet below. Also, this has been known to be weaponized since a long time. There is also a URLDNS payload in YSOSerial.

This can be also used to brute-leak remote classpath used for log4j.

#log4shell

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Aaditya Purani

Aaditya Purani Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @aaditya_purani

Aaditya Purani Profile picture
18 Dec
Is anyone able to reliably "crash/kill" the application completely using this log4j DoS hype ride?

So far I'm yet to reproduce a weaponizable damage outside of denying logging. (IllegalStateException) 🤔

Expansion payload (10k reps or more) will do StackOverflow exception (1/n)
Along with @0xsapra , we reproduced it against 2.14 giving it the priority as it has lookups enabled by default.

To weaponize, the goal was to kill/crash the app not just throw Exception.

We tried multiple payload deliveries-
1.) GET request (max size 2048):
Payload used was
"${" + "${::-"*300 + "$${::-j}" + "}"*300 + "}"

No Lags, No Exception, App continues normally.

2.) Headers (Tomcat max size 8k - 48k):

Payload: "${" + "${::-"*8000 + "$${::-j}" + "}"*8000 + "}"

1 sec lag, SO exception, App continues normally.

3.) POST (Tomcat default 2MB)
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @aaditya_purani has new unrolls!

Check out other threads from @aaditya_purani!

Read all threads by @aaditya_purani

:(