Nmap Development mailing list archives
Re: Shell Shock NSE Script (CVE-2014-6271)
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 1 Dec 2014 10:38:52 -0600
Hi list, This is the updated version of the script. Do you think is worth including a check in some default paths? I was also thinking the possibility of using the web spidering library to try to find any URIs with /cgi-bin/ in the path and attempt the exploit against them, however, I'm not sure if users will be surprised that this check will launch a web crawler against their target. So we have three options: -Leave it as it is right now. A single check against web servers that uses "/" by default. This can be changed with script arguments. -Implement this check with the spidering library as I mentioned above -Include some default paths to check by default besides "/". The down side of this is that the script will generate more traffic against non vulnerable hosts. Cheers. On Tue, Oct 14, 2014 at 11:51 AM, Richard Miles < richard.k.miles () googlemail com> wrote:
Hi Paulino, Not sure if you saw, but this script is nice, use default paths for mod_cgi which could be useful to be included on the mega super shellshock kit that you are working. :) http://www.intelligentexploit.com/view-details.html?id=19916 Thanks. On Thu, Oct 9, 2014 at 9:35 AM, Paulino Calderon <paulino () calderonpale comwrote:I think it is definitely worth working on detection modules. I will go through all of the PoCs over the weekend to improve the detection module for http and submit other scripts for the other well-known services. Cheers. On Oct 2, 2014, at 4:57 PM, Richard Miles <richard.k.miles () googlemail com> wrote: Hi guys, This vulnerability is awesome, why not create a set of tests for common vulnerable applications? For example, test against well-know web applications, FTP Servers, SMTP, FTP servers, etc. I have seen exploits for almost all these systems, I guess that a single script or a couple of them to detect would be AWESOME. Examples: Pure-FTPd External Authentication Bash Environment Variable Code Injection by Frank Denis, Spencer McIntyre, and Stephane Chazelas exploits - Metasploit Apache mod_cgi Bash Environment Variable Code Injection by wvu, juan vazquez, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278 - Metasploit Apache mod_cgi Bash Environment Variable RCE Scanner by wvu, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278 and - Metasploit Here is a collection of POCs: https://github.com/mubix/shellshocker-pocs https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html What do you think guys? Thanks. On Wed, Oct 1, 2014 at 3:11 AM, Paulino Calderon < paulino () calderonpale com> wrote:Hello everyone, I’ve cleaned up the script and improved a few things: https://bitbucket.org/cldrn/nmap-nse-scripts/src/111b0a2439b22cb287572f5b45fd7991814ec6cf/scripts/6.x/http-shellshock.nse?at=master I’ve tested the script against the VM and it works perfectly. Obviously more testing is appreciated but i think it is ready for submission. Cheers. On Sep 26, 2014, at 3:45 AM, Paul Amar <paul () sensepost com> wrote:Hi list, I created a NSE script for the Shell Shock vulnerability(CVE-2014-6271).I tested the script with Pentesterlab's VM located here: files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso. This script detects if the host is vulnerable. If so, you get a reverse shell by specifying the good arguments. Eg. ./nmap -p80 --script http-vuln-cve-2014-6271.nse --script-argshttp-vuln-cve-2014-6271.remoteIp=<your-ip>,http-vuln-cve-2014-6271.remotePort=<your-port>,http-vuln-cve-2014-6271.uri=/cgi-bin/status<ip> -d Feel free if you have any feedback, Paul<http-vuln-cve-2014-6271.nse>_______________________________________________Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Attachment:
http-shellshock.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Shell Shock NSE Script (CVE-2014-6271) Paulino Calderon (Oct 01)
- Re: Shell Shock NSE Script (CVE-2014-6271) Richard Miles (Oct 02)
- Re: Shell Shock NSE Script (CVE-2014-6271) Paulino Calderon (Oct 09)
- Re: Shell Shock NSE Script (CVE-2014-6271) Richard Miles (Oct 09)
- Re: Shell Shock NSE Script (CVE-2014-6271) stripes (Oct 09)
- Re: Shell Shock NSE Script (CVE-2014-6271) Shritam Bhowmick (Oct 11)
- Re: Shell Shock NSE Script (CVE-2014-6271) Paulino Calderon (Oct 09)
- Re: Shell Shock NSE Script (CVE-2014-6271) Richard Miles (Oct 14)
- Re: Shell Shock NSE Script (CVE-2014-6271) Paulino Calderon (Dec 01)
- Re: Shell Shock NSE Script (CVE-2014-6271) Richard Miles (Oct 02)