Advertisement
jdcrowe

Log4j search

Dec 14th, 2021
1,687
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <#
  2.     RUN AS ADMIN!
  3.    
  4.     .SYNOPSIS
  5.     Get-Log4shellVuln.ps1 scans all local drives for presence of log4j jar files and analyzes the contents of the jar file to determine if it is vulnerable to #log4shell (CVE-2021-44228) vulnerability
  6.     .DESCRIPTION
  7.     Review all local disks for any presence of log4j jar files, extract the manifest from the file and determine if the version is less than 2.15.
  8.     Output to console status of individual files and global result at end.
  9.     Record list of all jar files in log4j.csv, manifest versions in log4j-manifest.csv, and finally presence of jndi class in log4j-jndi.csv
  10.     Requires .net 4 or later
  11. #>
  12.  
  13. Add-Type -AssemblyName System.IO.Compression
  14. Add-Type -AssemblyName System.IO.Compression.FileSystem
  15. $logFolder = "C:\"
  16. $log4jCsv = "$logFolder\log4j.csv"
  17. $targetManifestFile = "$logFolder\log4j-manifest.txt"
  18. $manifestCsv = "$logFolder\log4j-manifest.csv"
  19. $jndiCsv = "$logFolder\log4j-jndi.csv"
  20. $log4Filter = "log4j*.jar"
  21. $jarFiles = Get-PSDrive | Where-Object { $_.Name.length -eq 1 } | Select-Object -ExpandProperty Root | Get-ChildItem -File -Recurse -Filter $log4Filter -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
  22. $jarFiles | Export-Csv $log4jCsv
  23. $global:result = $null
  24. foreach ($jarFile in $jarFiles) {
  25.     Write-Output $jarFile
  26.     $zip = [System.IO.Compression.ZipFile]::OpenRead($jarFile)
  27.     $zip.Entries |
  28.     Where-Object { $_.Name -like 'JndiLookup.class' } | ForEach-Object {  
  29.         $output = "$($jarFile.ToString()),$($_.FullName)"      
  30.         Write-Output $output
  31.         $output | Out-File -Append $jndiCsv        
  32.         if ($null -eq $global:result) { $global:result = "Jndi class exists" }        
  33.     }
  34.     $zip.Entries |
  35.     Where-Object { $_.FullName -eq 'META-INF/MANIFEST.MF' } | ForEach-Object {        
  36.         [System.IO.Compression.ZipFileExtensions]::ExtractToFile($_, $targetManifestFile, $true)
  37.         $implementationVersion = (Get-Content $targetManifestFile | Where-Object { $_ -like 'Implementation-Version: *' }).ToString()
  38.         Write-Output $implementationVersion
  39.         "$($jarFile.ToString()),$($implementationVersion.ToString())" | Out-File -Append $manifestCsv  
  40.         Remove-Item $targetManifestFile -ErrorAction SilentlyContinue
  41.         $implementationVersion_ = $implementationVersion.Replace('Implementation-Version: ', '').Split('.')
  42.         if ($implementationVersion_[0] -eq 2 -and $implementationVersion_ -lt 15 ) {
  43.             Write-Output "log4shell vulnerability exists"
  44.             $global:result = "Vulnerable"
  45.         }
  46.     }
  47.     if ($null -eq $global:result) { $global:result = "Jndi class not found" }
  48. }
  49. Write-Output "Result: $global:result"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement