Merge pull request #375 from snyk-labs/optimise_mvn_exec

specified exec plugin in pom file with startup class
snyk-labs · Jan 4, 2022 · 4e4ca88 · 4e4ca88
2 parents cbdcf59 + 02864c9
commit 4e4ca88
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/log4shell-goof/README.md b/log4shell-goof/README.md
@@ -41,7 +41,7 @@ Java class that will be deserialized and executed.
 
 The HTTP server listens on port `8000` and responds to any request with a byte array that is the `Evil.class`.
 
-`Evil` implements `ObjecFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While
+`Evil` implements `ObjectFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While
 the method simply returns `null`, it uses `Runtime` to execute arbitrary code on the host machine. In this case, it
 writes to a file called: `/tmp/pwned` to prove that it _could_ execute basically anything available on the machine.
 
@@ -51,7 +51,7 @@ Open a terminal window and run the following:
 
 ```
 cd log4shell-server
-mvn exec:java -Dexec.mainClass="Server"
+mvn exec:java
 ```
 
 You should see output that looks like the following:
@@ -67,7 +67,7 @@ In another terminal window, run the following:
 ```
 cd log4shell-client
 JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \
-mvn exec:java -Dexec.mainClass="Main"
+mvn exec:java
 ```
 
 **NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions.

diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml
@@ -31,4 +31,18 @@
       <version>2.14.1</version>
     </dependency>
   </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.0.0</version>
+        <configuration>
+          <mainClass>Main</mainClass>
+          <cleanupDaemonThreads>false</cleanupDaemonThreads>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
 </project>
diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml
@@ -47,6 +47,15 @@
           </descriptorRefs>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.0.0</version>
+        <configuration>
+          <mainClass>Server</mainClass>
+          <cleanupDaemonThreads>false</cleanupDaemonThreads>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 </project>