Re: Shell Shock NSE Script (CVE-2014-6271)

[Paulino Calderon <paulino () calderonpale com>]

Hi list,

This is the updated version of the script. Do you think is worth including
a check in some default paths? I was also thinking the possibility of using
the web spidering library to try to find any URIs with /cgi-bin/ in the
path and attempt the exploit against them, however, I'm not sure if users
will be surprised that this check will launch a web crawler against their
target. So we have three options:
-Leave it as it is right now. A single check against web servers that uses
"/" by default. This can be changed with script arguments.
-Implement this check with the spidering library as I mentioned above
-Include some default paths to check by default besides "/". The down side
of this is that the script will generate more traffic against non
vulnerable hosts.

Cheers.



On Tue, Oct 14, 2014 at 11:51 AM, Richard Miles <
richard.k.miles () googlemail com> wrote:

> Hi Paulino,
>
> Not sure if you saw, but this script is nice, use default paths for
> mod_cgi which could be useful to be included on the mega super shellshock
> kit that you are working. :)
>
> http://www.intelligentexploit.com/view-details.html?id=19916
>
> Thanks.
>
> On Thu, Oct 9, 2014 at 9:35 AM, Paulino Calderon <paulino () calderonpale com
> > wrote:
>
> > I think it is definitely worth working on detection modules. I will go
> > through all of the PoCs over the weekend to improve the detection module
> > for http and submit other scripts for the other well-known services.
> >
> > Cheers.
> >
> >
> > On Oct 2, 2014, at 4:57 PM, Richard Miles <richard.k.miles () googlemail com>
> > wrote:
> >
> > Hi guys,
> >
> > This vulnerability is awesome, why not create a set of tests for common
> > vulnerable applications? For example, test against well-know web
> > applications, FTP Servers, SMTP, FTP servers, etc. I have seen exploits for
> > almost all these systems, I guess that a single script or a couple of them
> > to detect would be AWESOME.
> >
> > Examples:
> >
> > Pure-FTPd External Authentication Bash Environment Variable Code
> > Injection by Frank Denis, Spencer McIntyre, and Stephane Chazelas exploits
> > - Metasploit
> >
> > Apache mod_cgi Bash Environment Variable Code Injection by wvu, juan
> > vazquez, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278  - Metasploit
> >
> > Apache mod_cgi Bash Environment Variable RCE Scanner by wvu, Stephane
> > Chazelas, and lcamtuf exploits CVE-2014-6278 and -
> > Metasploit
> >
> > Here is a collection of POCs:
> >
> > https://github.com/mubix/shellshocker-pocs
> >
> > https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
> >
> > What do you think guys?
> >
> > Thanks.
> >
> > On Wed, Oct 1, 2014 at 3:11 AM, Paulino Calderon <
> > paulino () calderonpale com> wrote:
> >
> > > Hello everyone,
> > >
> > > I’ve cleaned up the script and improved a few things:
> > >
> > > https://bitbucket.org/cldrn/nmap-nse-scripts/src/111b0a2439b22cb287572f5b45fd7991814ec6cf/scripts/6.x/http-shellshock.nse?at=master
> > >
> > > I’ve tested the script against the VM and it works perfectly. Obviously
> > > more testing is appreciated but i think it is ready for submission.
> > >
> > > Cheers.
> > >
> > > On Sep 26, 2014, at 3:45 AM, Paul Amar <paul () sensepost com> wrote:
> > >
> > > > Hi list,
> > > >
> > > > I created a NSE script for the Shell Shock vulnerability
> > > (CVE-2014-6271).
> > > > I tested the script with Pentesterlab's VM located here:
> > > > files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso.
> > > >
> > > > This script detects if the host is vulnerable.
> > > > If so, you get a reverse shell by specifying the good arguments.
> > > >
> > > > Eg. ./nmap -p80 --script http-vuln-cve-2014-6271.nse --script-args
> > > http-vuln-cve-2014-6271.remoteIp=<your-ip>,http-vuln-cve-2014-6271.remotePort=<your-port>,http-vuln-cve-2014-6271.uri=/cgi-bin/status
> > > > <ip> -d
> > > >
> > > > Feel free if you have any feedback,
> > > > Paul
> > > <http-vuln-cve-2014-6271.nse>_______________________________________________
> > > > Sent through the dev mailing list
> > > > http://nmap.org/mailman/listinfo/dev
> > > > Archived at http://seclists.org/nmap-dev/
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/

Attachment: http-shellshock.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/