From 4a230a9a614595440f88968301c645f3e2a3ceca Mon Sep 17 00:00:00 2001
From: tothi <tothi@users.noreply.github.com>
Date: Fri, 4 Feb 2022 23:37:25 +0100
Subject: [PATCH] add portable fat jar support

---
 README.md                             | 34 ++++++++++++++++++++++++++-
 build.gradle                          | 22 +++++++++++++++++
 src/main/java/dvl4wa/VulnServlet.java |  2 +-
 tomcat.xml                            | 10 --------
 4 files changed, 56 insertions(+), 12 deletions(-)
 delete mode 100644 tomcat.xml

diff --git a/README.md b/README.md
index 13a4607..9254ba9 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,8 @@ Gradle wrapper should solve everything. Simply git clone the repo:
 git clone https://github.com/tothi/log4shell-vulnerable-app
 ```
 
+### running with gradle wrapper
+
 And in the project dir with the file [build.gradle](./build.gradle),
 simply run:
 
@@ -27,7 +29,37 @@ or on Windows platform:
 .\gradlew.bat appRun
 ```
 
-(JDK is needed.)
+JDK is needed. Versions 8 and 11 were tested and are working, 17 seems to
+have issues.
+
+### building a portable fat jar
+
+This method builds a one-file portable fat JAR including an embedded
+Tomcat server.
+
+Simply run the gradle wrapper with the configured `shadowJar' task:
+
+```
+./gradlew shadowJar
+```
+
+or on Windows platform:
+
+```
+.\gradlew.bat shadowJar
+```
+
+The compiled and packages JAR file will be built in the folder `./build/libs`.
+
+It is portable and can be launched using JRE:
+
+```
+java -jar ./build/libs/log4shell-vulnerable-app-all.jar
+```
+
+The all-in-one portable JAR is available on the [releases page](https://github.com/tothi/log4shell-vulnerable-app/releases) here in the repo.
+
+### interacting with the vulnerable application
 
 The vulnerable application should listen on _all_ interfaces by
 default (DANGEROUS behavior if you run it on a production box).
diff --git a/build.gradle b/build.gradle
index 8e3493a..7ed1e08 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,6 +1,8 @@
 plugins {
   id "war"
   id "org.gretty" version "3.0.5"
+  id "com.github.johnrengelman.shadow" version "7.1.2"
+  id "java"
 }
 
 sourceCompatibility = "1.8"
@@ -12,9 +14,29 @@ repositories {
  
 dependencies {
   implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
+  if (project.gradle.startParameter.taskNames.first().contains("shadow")) {
+    implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:8.5.75'
+  }
 }
 
 gretty {
   contextPath = 'app'
   servletContainer = 'tomcat85'
 }
+
+sourceSets {
+  main {
+    java {
+      srcDir 'src'
+      if (!project.gradle.startParameter.taskNames.first().contains("shadow")) {
+        exclude '**/launch/**'
+      }
+    }
+  }
+}
+
+jar {
+  manifest {
+    attributes('Main-Class': 'launch.Main')
+  }
+}
diff --git a/src/main/java/dvl4wa/VulnServlet.java b/src/main/java/dvl4wa/VulnServlet.java
index 41e24aa..04bb327 100644
--- a/src/main/java/dvl4wa/VulnServlet.java
+++ b/src/main/java/dvl4wa/VulnServlet.java
@@ -12,7 +12,7 @@
 
 public class VulnServlet extends HttpServlet {
   protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException {
-    Logger logger = LogManager.getLogger();
+    Logger logger = LogManager.getLogger(VulnServlet.class);
     try {
       Map<String, String> headers = Collections.list(req.getHeaderNames()).stream().collect(Collectors.toMap(h -> h, req::getHeader));
       res.setContentType("text/plain; charset=utf-8");
diff --git a/tomcat.xml b/tomcat.xml
deleted file mode 100644
index 1784512..0000000
--- a/tomcat.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<Server>
-  <Service name="Catalina">
-    <Connector address="0.0.0.0" port="8888" protocol="HTTP/1.1"/>
-    <Engine name="Catalina" defaultHost="localhost">
-      <Host name="localhost">
-      </Host>
-    </Engine>
-  </Service>
-</Server>