This is an exploit to show the Log4Shell problem with Java. Read more about the problem in this article
The exploit is tested using Java 8u111. JDK version greater than 6u211, 7u201, 8u191, and 11.0.1 do not seem to be affected.
important
In this example the the java file and the compiled class are part of the project. This means that the class is also available in the classpath. This type of RCE via deserialization is possible using newer Java versions as well. You can change this by removing the Evil.java from the project.
Note: The LDAP server is copied from the marschalsec project by Moritz Bechler
The compiled Evil.class is compiled with Java 8u111 and contains the command to open Calculator on MacOSX.
You can change this by editing Evil.java and recompile with javac Evil.java
- Serve Evil.class via http
cd <projectdir>/src/main/java
serve -port 8000
-
Run Server.java
-
Run main.java (with JDK 8u111)
