shellshock_tester.sh

1. #!/bin/bash
2. EXITCODE=0
3.  
4. # CVE-2014-6271
5. CVE20146271=$(env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" 2>&1 | grep 'vulnerable' | wc -l)
6.  
7. echo -n "CVE-2014-6271 (original shellshock): "
8. if [ $CVE20146271 -gt 0 ]; then
9.     echo -e "\033[91mVULNERABLE\033[39m"
10.     EXITCODE=$((EXITCODE+1))
11. else
12.     echo -e "\033[92mnot vulnerable\033[39m"
13. fi
14.  
15. # CVE-2014-6277
16. CVE20146277=$((bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable) | grep 'vulnerable' | wc -l)
17.  
18. echo -n "CVE-2014-6277 (segfault): "
19. if [ $CVE20146277 -gt 0 ]; then
20.     echo -e "\033[91mVULNERABLE\033[39m"
21.     EXITCODE=$((EXITCODE+2))
22. else
23.     echo -e "\033[92mnot vulnerable\033[39m"
24. fi
25.  
26. # CVE-2014-6278
27. CVE20146278=$(shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable' | wc -l)
28.  
29. echo -n "CVE-2014-6278 (Florian's patch): "
30. if [ $CVE20146278 -gt 0 ]; then
31.     echo -e "\033[91mVULNERABLE\033[39m"
32.     EXITCODE=$((EXITCODE+4))
33. else
34.     echo -e "\033[92mnot vulnerable\033[39m"
35. fi
36.  
37. # CVE-2014-7169
38. CVE20147169=$((cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" == "nonvuln" ]] && echo "vulnerable" 2> /dev/null) | grep 'vulnerable' | wc -l)
39.  
40. echo -n "CVE-2014-7169 (taviso bug): "
41. if [ $CVE20147169 -gt 0 ]; then
42.     echo -e "\033[91mVULNERABLE\033[39m"
43.     EXITCODE=$((EXITCODE+8))
44. else
45.     echo -e "\033[92mnot vulnerable\033[39m"
46. fi
47.  
48. # CVE-2014-7186
49. CVE20147186=$((bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo "vulnerable") | grep 'vulnerable' | wc -l)
50.  
51. echo -n "CVE-2014-7186 (redir_stack bug): "
52. if [ $CVE20147186 -gt 0 ]; then
53.     echo -e "\033[91mVULNERABLE\033[39m"
54.     EXITCODE=$((EXITCODE+16))
55. else
56.     echo -e "\033[92mnot vulnerable\033[39m"
57. fi
58.  
59. # CVE-2014-7187
60. CVE20147187=$(((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in {1..200}; do echo done; done) | bash || echo "vulnerable") | grep 'vulnerable' | wc -l)
61.  
62. echo -n "CVE-2014-7187 (nested loops off by one): "
63. if [ $CVE20147187 -gt 0 ]; then
64.     echo -e "\033[91mVULNERABLE\033[39m"
65.     EXITCODE=$((EXITCODE+32))
66. else
67.     echo -e "\033[92mnot vulnerable\033[39m"
68. fi
69.  
70. # CVE-2014-////
71. CVE2014=$(env X=' () { }; echo vulnerable' bash -c 'date' | grep 'hello' | wc -l)
72.  
73. echo -n "CVE-2014-//// (exploit 3 on http://shellshocker.net/): "
74. if [ $CVE2014 -gt 0 ]; then
75.     echo -e "\033[91mVULNERABLE\033[39m"
76.     EXITCODE=$((EXITCODE+64))
77. else
78.     echo -e "\033[92mnot vulnerable\033[39m"
79. fi
80.  
81. exit $EXITCODE