-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathFindLog4JFiles.ps1
61 lines (44 loc) · 1.82 KB
/
FindLog4JFiles.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<#
.SYNOPSIS
Search drives for jar files containing JNDI classes
.DESCRIPTION
For CVE-2021-44228, look through drives for vulnerable files
.NOTES
Credit to Jai Minton and Grzegorz Tworek for figuring out the invocation
BSD License
Pull requests are welcome.
.LINK
https://twitter.com/CyberRaiju/status/1469505677580124160
https://twitter.com/0gtweet/status/1469661769547362305
#>
# Elevate as needed
# https://superuser.com/questions/108207/how-to-run-a-powershell-script-as-administrator
param([switch]$Elevated)
function Test-Admin {
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
if ((Test-Admin) -eq $false) {
if ($elevated) {
# tried to elevate, did not work, aborting
}
else {
Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition))
}
exit
}
Write-Output 'Running with full privileges...'
function Find-Log4J {
# Search through local drives for jar files containing the jndi class
# NOTE: This will flag patched files
gcim win32_volume |
Where-Object { $_.DriveType -eq 3 -and $null -ne $_.DriveLetter} |
ForEach-Object {(Get-ChildItem ($_.DriveLetter+"\") -rec -force -include *.jar -ea 0 |
ForEach-Object {Select-String "JndiLookup.class" $_} |
Select-Object -exp Path)}
# Linux version
# find / 2>/dev/null -regex ".*.jar" -type f | xargs -I{} grep JndiLookup.class "{}"
#Get-PSDrive -PSProvider FileSystem | foreach {(gci ($_.Root) -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path)}
}
Find-Log4J
Write-Output 'Done...'