Skip to content

Instantly share code, notes, and snippets.

@perryflynn
Last active January 21, 2022 19:32
Show Gist options
  • Save perryflynn/e842e9a911f03204ea8dcfee0df76693 to your computer and use it in GitHub Desktop.
Save perryflynn/e842e9a911f03204ea8dcfee0df76693 to your computer and use it in GitHub Desktop.
Find log4j for CVE-2021-44228 on some places * Log4Shell REPO: https://github.com/perryflynn/find-log4j
# by Christian Blechert <[email protected]>
# ATTENTION! It only checks ext3 + ext4 filesystems right now!
# Extend it if you use something else
# Repo: https://github.com/perryflynn/find-log4j
while read -u 3 -r JAR
do
JAR=$(echo "$JAR" | sed 's/^[[:blank:]]*//;s/[[:blank:]]*$//')
if [ -z "$JAR" ]; then
continue
fi
NUM=$(unzip -l "$JAR" | grep -P "^\s+[0-9]+\s+[0-9-]+\s+[0-9:]+\s+.+" | awk '{print $4}' | grep -P 'org/apache/(log4j|logging/log4j)' | wc -l)
if [ $NUM -gt 0 ]; then
echo "$JAR"
fi
done 3<<< "$(find / \( -fstype ext4 -or -fstype ext3 \) -type f -name "*.jar" 2> /dev/null)"
# eof
#!/bin/bash
# Finds log4j resources in running docker containers
# by Christian Blechert <[email protected]>
# Repo: https://github.com/perryflynn/find-log4j
while read -r CONTAINER
do
CONTAINER=$(echo "$CONTAINER" | sed 's/^[[:blank:]]*//;s/[[:blank:]]*$//')
if [ -z "$CONTAINER" ]; then
continue
fi
while read -u 3 -r JAR
do
JAR=$(echo "$JAR" | sed 's/^[[:blank:]]*//;s/[[:blank:]]*$//')
if [ -z "$JAR" ]; then
continue
fi
rm -f moep.jar
docker cp "$CONTAINER:$JAR" moep.jar
NUM=$(unzip -l moep.jar | grep -P "^\s+[0-9]+\s+[0-9-]+\s+[0-9:]+\s+.+" | awk '{print $4}' | grep -P 'org/apache/(log4j|logging/log4j)' | wc -l)
if [ $NUM -gt 0 ]; then
echo "$CONTAINER @ $JAR"
fi
done 3<<< "$(docker exec -u root $CONTAINER find / -type f -name "*.jar" 2> /dev/null)"
done <<< "$(docker ps --format '{{.Names}}')"
# eof
# Finds log4j resources on Windows machines
# by Christian Blechert <[email protected]>
# Repo: https://github.com/perryflynn/find-log4j
Add-Type -assembly "system.io.compression.filesystem"
gwmi win32_volume | where-object { $_.filesystem -match "ntfs" -and $_.name -match "^[A-Z]:" } | sort { $_.name } | foreach-object {
Get-ChildItem $_.name -File -Recurse -erroraction 'silentlycontinue' |
Where-Object { $_.Name -match '\.jar$' } |
Select-Object -ExpandProperty FullName |
Foreach-Object {
$folder = $_
$containsLog = ([io.compression.zipfile]::OpenRead($folder).Entries |
Where-Object { $_.FullName -match "^org/apache/(log4j|logging/log4j)" }).Length
if ( $containsLog -gt 0 ) {
Write-Host "$($folder)"
}
}
}
# eof
@perryflynn
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment