shellshock repair using sshkit

fixbash.rb

require 'sshkit'
require 'sshkit/coordinator'
require 'sshkit/host'
require 'sshkit/dsl'

SSHKit::Backend::Netssh.configure do |backend|
  backend.pty = true
end

def echo_vulnerability(host, issue)
  "echo \"vulnerability #{issue} detected on host #{host}\""
end

vulnerable_hosts = []

# List all your servers here.
# I used server nicknames from ~/.ssh/config so I could
# just pass a list of symbols instead of having to declare
# a list of servers with appropriate SSH keys
ROOT_SERVERS = ['root@server1', 'root@server2']

on ROOT_SERVERS.collect(&:to_s) do |host|
  execute :curl, "https://shellshocker.net/fixbash", "|", :sh
  execute :rm, '-rf', 'bash-shellshocker'
  execute '/sbin/ldconfig'
  with x: "'() { :;}; #{echo_vulnerability(host, 'CVE-2014-6271')}'" do
    result = (capture :bash, "-c \"true\"")
    vulnerable_hosts << result unless result.chomp.empty?
  end
  within '/tmp' do
    result = capture("env X='() { (a)=>\' bash -c \"echo date\"; cat echo 2> /dev/null | true")
    vulnerable_hosts << "vulnerability CVE-2014-7169 detected on host #{host}" unless result.chomp == 'date'
    execute :rm, '-f', :echo
  end
  vulnerable_hosts << capture("bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || #{echo_vulnerability(host, 'CVE-2014-7186')}")
  vulnerable_hosts << capture("(for x in {1..200} ; do echo \"for x$x in ; do :\"; done; for x in {1..200} ; do echo done ; done) | bash || #{echo_vulnerability(host, 'CVE-2014-7187')}")
  vulnerable_hosts << "vulnerability CVE-2014-6277 / CVE-2014-6278 detected on host #{host}" if 'not patched' == capture("foo='() { echo not patched; }' bash -c foo 2> /dev/null || true").chomp
end

puts vulnerable_hosts.collect{|s| s.split("\n")}.flatten.reject{|s| s.match /Segmentation fault/ }.reject{|s| s.match /segfault/ }.reject{|s| s.match /line 129/ }