Re: Shell Shock NSE Script (CVE-2014-6271)

[Paulino Calderon Pale <paulino () calderonpale com>]

Hi list,

I’ve committed the script http-shellshock in rev 33916.

Cheers!

> On Dec 1, 2014, at 10:38 AM, Paulino Calderon <paulino () calderonpale com> wrote:
>
> Hi list,
>
> This is the updated version of the script. Do you think is worth including a check in some default paths? I was also 
> thinking the possibility of using the web spidering library to try to find any URIs with /cgi-bin/ in the path and 
> attempt the exploit against them, however, I'm not sure if users will be surprised that this check will launch a web 
> crawler against their target. So we have three options:
> -Leave it as it is right now. A single check against web servers that uses "/" by default. This can be changed with 
> script arguments.
> -Implement this check with the spidering library as I mentioned above
> -Include some default paths to check by default besides "/". The down side of this is that the script will generate 
> more traffic against non vulnerable hosts.
>
> Cheers.
>
>
>
> On Tue, Oct 14, 2014 at 11:51 AM, Richard Miles <richard.k.miles () googlemail com <mailto:richard.k.miles () 
> googlemail com>> wrote:
> Hi Paulino,
>
> Not sure if you saw, but this script is nice, use default paths for mod_cgi which could be useful to be included on 
> the mega super shellshock kit that you are working. :)
>
> http://www.intelligentexploit.com/view-details.html?id=19916 
> <http://www.intelligentexploit.com/view-details.html?id=19916>
>
> Thanks.
>
> On Thu, Oct 9, 2014 at 9:35 AM, Paulino Calderon <paulino () calderonpale com <mailto:paulino () calderonpale com>> 
> wrote:
> I think it is definitely worth working on detection modules. I will go through all of the PoCs over the weekend to 
> improve the detection module for http and submit other scripts for the other well-known services.
>
> Cheers.
>
>
> On Oct 2, 2014, at 4:57 PM, Richard Miles <richard.k.miles () googlemail com <mailto:richard.k.miles () googlemail 
> com>> wrote:
>
> > Hi guys,
> >
> > This vulnerability is awesome, why not create a set of tests for common vulnerable applications? For example, test 
> > against well-know web applications, FTP Servers, SMTP, FTP servers, etc. I have seen exploits for almost all these 
> > systems, I guess that a single script or a couple of them to detect would be AWESOME.
> >
> > Examples:
> >
> > Pure-FTPd External Authentication Bash Environment Variable Code Injection by Frank Denis, Spencer McIntyre, and 
> > Stephane Chazelas exploits - Metasploit
> >
> > Apache mod_cgi Bash Environment Variable Code Injection by wvu, juan vazquez, Stephane Chazelas, and lcamtuf 
> > exploits CVE-2014-6278  - Metasploit
> >
> > Apache mod_cgi Bash Environment Variable RCE Scanner by wvu, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278 
> > and - 
> > Metasploit
> >
> > Here is a collection of POCs:
> >
> > https://github.com/mubix/shellshocker-pocs <https://github.com/mubix/shellshocker-pocs>
> > https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html 
> > <https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html>
> >
> > What do you think guys?
> >
> > Thanks.
> >
> > On Wed, Oct 1, 2014 at 3:11 AM, Paulino Calderon <paulino () calderonpale com <mailto:paulino () calderonpale com>> 
> > wrote:
> > Hello everyone,
> >
> > I’ve cleaned up the script and improved a few things:
> > https://bitbucket.org/cldrn/nmap-nse-scripts/src/111b0a2439b22cb287572f5b45fd7991814ec6cf/scripts/6.x/http-shellshock.nse?at=master
> >  
> > <https://bitbucket.org/cldrn/nmap-nse-scripts/src/111b0a2439b22cb287572f5b45fd7991814ec6cf/scripts/6.x/http-shellshock.nse?at=master>
> >
> > I’ve tested the script against the VM and it works perfectly. Obviously more testing is appreciated but i think it 
> > is ready for submission.
> >
> > Cheers.
> >
> > On Sep 26, 2014, at 3:45 AM, Paul Amar <paul () sensepost com <mailto:paul () sensepost com>> wrote:
> >
> > > Hi list,
> > >
> > > I created a NSE script for the Shell Shock vulnerability (CVE-2014-6271).
> > >
> > > I tested the script with Pentesterlab's VM located here:
> > > files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso 
> > > <http://files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso>.
> > >
> > > This script detects if the host is vulnerable.
> > > If so, you get a reverse shell by specifying the good arguments.
> > >
> > > Eg. ./nmap -p80 --script http-vuln-cve-2014-6271.nse --script-args
> > > http-vuln-cve-2014-6271.remoteIp=<your-ip>,http-vuln-cve-2014-6271.remotePort=<your-port>,http-vuln-cve-2014-6271.uri=/cgi-bin/status
> > > <ip> -d
> > >
> > > Feel free if you have any feedback,
> > > Paul
> > > <http-vuln-cve-2014-6271.nse>_______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev <http://nmap.org/mailman/listinfo/dev>
> > > Archived at http://seclists.org/nmap-dev/ <http://seclists.org/nmap-dev/>
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > http://nmap.org/mailman/listinfo/dev <http://nmap.org/mailman/listinfo/dev>
> > Archived at http://seclists.org/nmap-dev/ <http://seclists.org/nmap-dev/>
>
>
>
> <http-shellshock.nse>

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/