-
Notifications
You must be signed in to change notification settings - Fork 0
/
runner.sh
143 lines (104 loc) · 4.88 KB
/
runner.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
set -e
cd "$(dirname "$0")"
strCur=$PWD
strDate=$(date '+%d-%m-%Y_%H-%M-%S')
strLogDirectory=~/log4j-log
strLogFilePath=$strLogDirectory/$strDate-result-full-scan.log
strLogInFilePath=$strLogDirectory/$strDate-in-scan.log
strFinalResultLog=$strLogDirectory/$strDate-result-shrinked.log
strJavaLog4JBinary=log4j-detector-latest.jar
strJavaLog4JDownloadURL=https://github.com/beckerr-rzht/log4j-detector/raw/release/log4j-detector-2021.12.29.jar
if [ ! -d $strLogDirectory ]; then
mkdir -p $strLogDirectory
fi
function Logger() {
$1 >> $strLogFilePath
}
function EventError() {
printf "\n✘✘✘ | $strDate | $1 \n"
}
function EventSuccess() {
printf "\n✔✔✔ | $strDate | $1 \n"
}
function EventResultWarning() {
printf "\n⚠ ⚠ ⚠ | $strDate | RESULTS FOR $1 \n"
}
function CheckApplicationExists() {
if [ ! -n `which $1` 2>/dev/null ]; then
EventError "Software $1 is not installed. Please be sure, that $1 is installed before running this script! Abort."
exit 1
fi
}
function CheckApplication() {
if ! hash $1 2>/dev/null; then
EventError "Software $1 is not installed. Please be sure, that $1 is installed before running this script! Abort."
exit 1
fi
}
function WrapperCall() {
if [ ! -f $strJavaLog4JBinary ]; then
EventError "Software $strJavaLog4JBinary not found! Please be sure, that curl download the latest version of it."
exit 1
fi
sudo find / -xdev -type f | tee $strLogInFilePath | sudo java -jar $strJavaLog4JBinary --stdin --verbose 2>&1 | tee $strLogFilePath > /dev/null 2>&1
}
function DownloadLatestJarFile() {
if [ ! -f $strJavaLog4JBinary ]; then
curl -Lo $strJavaLog4JBinary $strJavaLog4JDownloadURL
fi
}
function ParseResults() {
if (grep -i "_VULNERABLE_" $strLogFilePath || grep -i "_OLD_" $strLogFilePath || grep -i "_POTENTIALLY_SAFE_" $strLogFilePath ); then
printf "\n---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ----------\n"
EventError "ALERT ALERT ALERT | SOMEONE LOOKS NOT GOOD! LOOKING FOR _OLD_ or _VULNERABLE_ or _POTENTIALLY_SAFE_ in the logfile at $strLogFilePath"
printf "\n---------------------------------------------------------------------------------------------------------------------------------"
printf "\n\nHostname: $HOSTNAME"
printf "\nUsername: $USERNAME"
printf "\nDatum: $strDate\n"
EventResultWarning "_VULNERABLE_"
printf "
Description of _VULNERABLE_: You need to upgrade or remove this file.\n\n"
printf "List of vulnerabilities in your files from _VULNERABLE_:\n"
cat $strLogFilePath | grep -u "_VULNERABLE_"
printf "\n\n---------------------------------------------------------------------------------------------------------------------------------"
EventResultWarning "_OLD_"
printf "
Description of _OLD_: You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and
has several known-vulnerabilities.\n\n"
printf "List of vulnerabilities in your files from _OLD_:\n"
cat $strLogFilePath | grep -u "_OLD_"
printf "\n\n---------------------------------------------------------------------------------------------------------------------------------"
EventResultWarning "_POTENTIALLY_SAFE_"
printf "
Description of _POTENTIALLY_SAFE_: The JndiLookup.class file is not present, either because your version of Log4J is very old (pre 2.0-beta9),
or because someone already removed this file. Make sure it was someone in your team or company that removed JndiLookup.class if that's the case,
because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.\n\n"
printf "List of vulnerabilities in your files from _POTENTIALLY_SAFE_:\n"
cat $strLogFilePath | grep -u "_POTENTIALLY_SAFE_"
printf "\n\n---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ---------- WARNING ----------"
printf "\n\n !!! PLEASE CHECK YOUR REPORT FROM $strFinalResultLog\n"
exit 1
else
EventSuccess "No results found! Have a nice day and keep smilin :) - if you want you can find your logs here $strLogFilePath" | tee -a $strLogFilePath
rm -rf $strFinalResultLog
exit 0
fi
}
function ApplicationCheck() {
CheckApplication "curl"
CheckApplication "java"
CheckApplication "sudo"
CheckApplication "tee"
CheckApplication "grep"
}
function mainCall() {
touch $strFinalResultLog
ApplicationCheck
DownloadLatestJarFile
WrapperCall
ParseResults | tee -a $strFinalResultLog
rm -rf $strLogInFilePath
}
mainCall
exit 0