A Tool to Find And Exploit Servers Vulnerable to Shellshock

Shocker

A tool to find and exploit servers vulnerable to Shellshock

Ref: https://en.wikipedia.org/wiki/Shellshock_(software_bug)

Released as open source by NCC Group Plc - https://www.nccgroup.trust/

How to use  

Help Text

usage: shocker.py

-h, --help show this help message and exit

--Host HOST, -H HOST A target hostname or IP address

--file FILE, -f FILE File containing a list of targets

--port PORT, -p PORT The target port number (default=80)

--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)

--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)

--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'

--ssl, -s Use SSL (default=False)

--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)

--verbose, -v Be verbose in output  

TODO

• Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
• Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
• Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
• Change verbose to integer value - quiet, normal, verbose, debug?
• Add option to skip initial host checks for the sake of speed?
• Add a summary of results before exiting
• Save results to a file? Format?
• Eventually the idea is to include multiple possible vectors but currently only one is checked.
• Add Windows and *nix colour support - Low priority/prettiness
• Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
• Prettify - Low priority/pretinness (obviously)
• Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
• Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
• Other stuff. Probably. 

Download tool : https://github.com/nccgroup/shocker