Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Overview

Log4j2 Vulnerability Local Scanner (CVE-2021-45046)

Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服务器。

Scan all java processes on your host to check whether it's affected by log4j2 remote code execution(CVE-2021-45046), then upload the report to your api server.

Works under python2.7 / 2.6 / 3.x, no extra lib required.

扫描逻辑

  1. 遍历主机上的java进程
  2. 遍历java进程打开的jar包
  3. 查找log4j-core-* jar包
  4. 递归解压其他 jar包,查找log4j-core-* jar包
  5. 在log4j-core jar包中,查找JndiLookup.class
  6. 找到JndiLookup.class后,根据其版本号 、jvm参数、OS环境变量、是否docker容器进程、k8s进程,输出是否存在漏洞,输出升级提示
  7. 上传扫描结果到指定的服务器

How It Works

  • Find all java process on the host
  • Find all jar files open by the java process
  • Search for log4j-core-*.jar
  • Recursively unzip other jar files,search for log4j-core-*.jar
  • Search for JndiLookup.class in log4j-core-*.jar
  • Once JndiLookup.class found,output some tips based on its version 、jvm args、OS env args、is docker container、is k8s
  • Upload full report to your api server

稳定机制

  • 递归:递归解压缩jar包,最多不超过5层
  • 内存:每次解压都检测自身内存占用,至多不超过200MB。超过则跳过扫描,上报部分结果和内存错误
  • 网络:扫描结束后,随机sleep 0~10秒,假设1万主机,则每秒上报的服务器大约只有1000台

批量扫描

可以集成到Agent,或者下发该扫描脚本一次性执行。也可以运维机登入,一键全网扫描。

You can use the script as a module by your agent, or deliver and run it only once.

Those who don't have an easy to use agent can run command below on your OPS server.

./logs.txt||exit 0'">
cat hosts.txt|xargs -P 5 -I{} sh -c 'ssh root@{} -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null "wget http://your_site/to_download/log4j2_vul_scanner.py -O /tmp/log4j2_vul_scanner.py -q && python /tmp/log4j2_vul_scanner.py && /usr/bin/rm /tmp/log4j2_vul_scanner.py" > ./logs.txt||exit 0'
Owner
Just for fun
Uncover the full name of a target on Linkedin.

Revealin Uncover the full name of a target on Linkedin. It's just a little PoC exploiting a design flaw. Useful for OSINT. Screenshot Usage $ git clon

mxrch 129 Dec 21, 2022
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Oliver Lyak 140 Dec 27, 2022
Simple tool to create passwords.

PasswordGenerator Simple password generator: -Simplisitc Window Application -Allows Numbers, Symbols & letters upper and lowercase -Restricts rows of

DM 1 Jan 10, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own compute

Li Ka Lok 2 Dec 02, 2022
Detection And Breaking With Python

Detection And Breaking IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::::::::II::::::::I P:::::::

Baris Dincer 1 Dec 26, 2021
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

Oxeye 137 Jan 02, 2023
Yesitsme - Simple OSINT script to find Instagram profiles by name and e-mail/phone

Simple OSINT script to find Instagram profiles by name and e-mail/phone

108 Jan 07, 2023
MS-FSRVP coercion abuse PoC

ShadowCoerce MS-FSRVP coercion abuse PoC Credits: Gilles LIONEL (a.k.a. Topotam)

Shutdown 219 Dec 28, 2022
Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's for connected iDevice

FutureHelper Supports macOS and Windows Downloads SEP, Baseband and BuildManifest automatically for signed iOS version's (including beta firmwares) fo

Kasim Hussain 7 Jan 05, 2023
CVE-2021-26855 SSRF Exchange Server

CVE-2021-26855 Brute Force EMail Exchange Server Timeline: Monday, March 8, 2021: Update Dumping content...(I'm not done, can u guy help me done this

lulz 117 Nov 28, 2022
Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

AdminerRead Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability Installation git clone https://github.com/p0dalirius/AdminerRea

Podalirius 58 Dec 05, 2022
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Fuzz introspector Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potenti

Open Source Security Foundation (OpenSSF) 221 Jan 01, 2023
A hashtag check python module

A hashtag check python module

Fayas Noushad 3 Aug 10, 2022
A simple subdomain scanner in python

Subdomain-Scanner A simple subdomain scanner in python ✨ Features scans subdomains of a domain thats it! 💁‍♀️ How to use first download the scanner.p

Portgas D Ace 2 Jan 07, 2022
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 08, 2022
Directory Traversal in Afterlogic webmail aurora and pro

CVE-2021-26294 Exploit Directory Traversal in Afterlogic webmail aurora and pro . Description: AfterLogic Aurora and WebMail Pro products with 7.7.9 a

Ashish Kunwar 8 Nov 09, 2022
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022