-
-
Notifications
You must be signed in to change notification settings - Fork 88
/
index.html
357 lines (341 loc) · 23.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Shellshock BASH Vulnerability tester. Are you vulnerable to #shellshock? (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)">
<meta name="keywords" content="Shellshock,BASH,vulnerability,exploit,zeroday,heartbleed,linux,osx,sh,gnu,fix,ubuntu,centos,redhat,shellshocker,upgrade,4.3,apache,nginx,cgi,mavericks,yosemite,fedora,test,tester,logo,bashbleed,bashbug,vulnerable,hack,aftershock,check,checker,patcher,patch,stats,statistics,one liner,CVE-2014-6271,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187,CVE-2014-6277,CVE-2014-6278">
<meta name="author" content="@williamreiske">
<link rel="icon" href="shellshocker.png">
<meta property="og:image" content="https://shellshocker.net/shellshocker.png" />
<title>Shellshock BASH Vulnerability Tester</title>
<!-- Bootstrap core CSS -->
<link href="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
<!-- Bootstrap theme -->
<link href="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/css/bootstrap-theme.min.css" rel="stylesheet">
<link href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">
<link href="/theme.min.css?rev=92914-300pm" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body role="document">
<!-- Fixed navbar -->
<div class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">
<img border="0" height="20" src="/shellshocker.png" alt="#Shellshocker" /> #Shellshocker</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="active">
<a href="/">Home</a>
</li>
<li>
<a href="#websitetest">Website Tester</a>
</li>
<li>
<a href="#systemtest">System Tester</a>
</li>
<li>
<a href="#fix">The Fix</a>
</li>
<li>
<a href="#api">API</a>
</li>
<li>
<a href="#comment">Comment</a>
</li>
<li>
<a href="/sitestats">Stats</a>
</li>
<li>
<a href="/about">About Us</a>
</li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</div>
<div class="container theme-showcase" role="main">
<div class="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- shellshocker.net -->
<ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-1808672741905857" data-ad-slot="8928803123" data-ad-format="auto"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>
<br />
<div class="alert alert-warning" style="text-align:center;text-shadow:none;" role="alert">
<p>Patch 29 is now live (Fri Oct 3 2014: 1:35am EST)! Please re-patch your systems!</p>
<p><pre>curl https://shellshocker.net/fixbash | sh</pre></p>
<small>If curl isn't installed on your system but <strong>wget is, wget https://shellshocker.net/fixbash -O - | sh</strong> does the same as the command above.</small>
<p>Now taking pull requests @ <a target="_blank" style="color:#000;" href="https://github.com/wreiske/shellshocker">https://github.com/wreiske/shellshocker</a>. Having an issue? Report it <a arget="_blank" href="https://github.com/wreiske/shellshocker/issues">here</a>.</p>
</div>
<div class="alert alert-info" style="text-align:center;font-size:20px;" role="alert" id="test_stats">
<p><i class="fa fa-spinner fa-spin"></i> Loading Stats....</p>
</div>
<div class="jumbotron">
<h1>What is #shellshock?</h1>
<img height="150" style="float:left;padding-right:20px;" src="/shellshocker.png" alt="" />
<p>Shellshock (<a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>, <a target="_blank" href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277">CVE-2014-6277</a>, <a target="_blank" href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278">CVE-2014-6278</a>, <a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169">CVE-2014-7169</a>, <a target="_blank" href="https://access.redhat.com/security/cve/CVE-2014-7186">CVE-2014-7186</a>, <a target="_blank" href="https://access.redhat.com/security/cve/CVE-2014-7187">CVE-2014-7187</a>) is a vulnerability in GNU's <a target="_blank" href="http://en.wikipedia.org/wiki/Bash_(Unix_shell)">bash</a> shell that gives attackers access to run <a target="_blank" href="http://en.wikipedia.org/wiki/Arbitrary_code_execution">remote commands</a> on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST (See <a target="_blank" href="http://ftp.gnu.org/gnu/bash/bash-4.3-patches/?C=M;O=D">patch history</a>), you're <strong>most definitely vulnerable</strong> and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to <a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">NVD</a>.</p>
<p>You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.</p>
<p>Join the discussion <a href="#comment">below</a>.</p>
<a href="https://twitter.com/shellshockernet" class="twitter-follow-button" data-show-count="false" data-dnt="true">Follow @shellshockernet</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script> <a href="https://twitter.com/williamreiske" class="twitter-follow-button" data-show-count="false" data-dnt="true">Follow @williamreiske</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script> <a href="https://twitter.com/mieehr" class="twitter-follow-button" data-show-count="false" data-dnt="true">Follow @mieehr</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
<a name="websitetest"></a>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-bolt"></i> Website Shocker</h3>
</div>
<div class="panel-body">
<div id="loading_tester">
<div class="center">
<p>
<strong>Loading website tester...</strong>
</p>
<p>
<i class="fa fa-spinner fa-spin"></i>
</p>
</div>
</div>
<div id="shock_tester" style="display:none;">
<p>
You can test if a system is vulnerable by using the form below. Just provide a http or https url and test away!
</p>
<span id="test_errors"></span>
<div class="input-group">
<span class="input-group-addon">Url</span>
<input type="text" class="form-control" placeholder="https://example.org/cgi-bin/shockme.cgi" id="test_url">
</div>
<p>
<button type="button" id="btn_shock" class="btn btn-lg btn-default pull-right">Shock!</button>
</p>
<p>
<small>Please test responsibly. All tests details are logged. Do not test against websites that you do not have permission to test against. All data is archived in case of abuse.</small>
</p>
<p>Here is an example script that is vulnerable. Place this in your /cgi-bin/shockme.cgi and try hitting it with the shock tester.</p>
<pre>#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "https://shellshocker.net/"
</pre>
<p><strong>Last updated Friday September 26th at 4:43PM EST</strong>: <small>This website tester will now wait for a valid response before returning the state of the vulnerability. If the server responds with a 500 we assume you're vulnerable and we display the response immediately without waiting. If we get any other response code we will wait 3 seconds for a reply from your server and display if you're vulnerable or not.</small></p>
</div>
<a name="systemtest"></a>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-terminal"></i> Testing Your System</h3>
</div>
<div class="panel-body">
<p>To test your system, you can simply run this one liner below to find if you're vulnerable.</p>
<pre>curl https://shellshocker.net/shellshock_test.sh | bash</pre>
<p>You can view the source of <a target="_blank" href="https://github.com/wreiske/shellshocker/blob/master/shellshock_test.sh">shellshock_test.sh on GitHub</a>.</p>
<img class="img-responsive center-block" src="/shellshock_test.jpg" alt="" />
<p>If you want to test each exploit individually without running the script above, feel free! They are listed below.</p>
<h4>Exploit 1 (<a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a>)</h4>
<p>
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
</p>
<pre>env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</pre>
<p>
If you see "vulnerable" you need to <a href="#fix">update bash</a>. Otherwise, you should be good to go.
</p>
<h4>Exploit 2 (<a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169">CVE-2014-7169</a>)</h4>
<p>Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.</p>
<pre>env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo</pre>
<p>If the above command outputs the current date (it may also show errors), you are still vulnerable.</p>
<h4>Exploit 3 (???)</h4>
<p>
Here is another variation of the exploit. <i>Please leave a comment below if you know the CVE of this exploit.</i>
</p>
<pre>env X=' () { }; echo hello' bash -c 'date'</pre>
<p>If the above command outputs "hello", you are vulnerable.</p>
<h4>Exploit 4 (<a target="_blank" href="https://access.redhat.com/security/cve/CVE-2014-7186">CVE-2014-7186</a>)</h4>
<pre>bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"</pre>
<p>A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".</p>
<h4>Exploit 5 (<a target="_blank" href="https://access.redhat.com/security/cve/CVE-2014-7187">CVE-2014-7187</a>)</h4>
<pre>(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"</pre>
<p>A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".</p>
<h4>Exploit 6 (<a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278">CVE-2014-6278</a>)</h4>
<pre>shellshocker='() { echo You are vulnerable; }' bash -c shellshocker</pre>
<p>You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"</p>
<h4>Exploit 7 (<a target="_blank" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277">CVE-2014-6277</a>)</h4>
<pre>bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable</pre>
<p>If the command outputs "vulnerable", you are vulnerable.</p>
<hr />
<p>If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type
<code>bash --version</code> for bash, and
<code>cat /etc/*release*</code> for your OS.</p>
<a name="fix"></a>
</div></div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-shield"></i> How to fix ShellShock</h3>
</div>
<div class="panel-body">
<div class="alert alert-info" role="alert"><strong>Please Note!</strong> <p>The patches available from bash are not yet 100% issue free. It's highly recommended that you still update your system and patch bash, even if it only fixes the first few exploits on your system. Please check back occasionally for updates, we will keep this page up to date with the latest patches available.</p></div>
<h4>CentOS, Ubuntu, Linux systems</h4>
<p>
Shellshock is a vulnerability in <a target="_blank" href="http://en.wikipedia.org/wiki/Bash_(Unix_shell)">bash</a>. In order to patch your vulnerable system, you will need to get the most up to date version of bash available from <a target="_blank" href="http://www.gnu.org/software/bash/">GNU.org</a>.
</p>
<p>
Depending on your package manager (yum, apt-get, etc) you may be able to just run a yum update and you'll be good to go.
</p>
<p>
Here's how that's done:
</p>
<pre>yum update bash -y</pre>
<p>For Ubuntu Systems:</p>
<pre>apt-get update; apt-get install --only-upgrade bash</pre>
<p>For Arch Linux:</p>
<pre>pacman -Syu</pre>
<p>
If your package manager doesn't find an update, you will need to build bash from src.
</p>
<h4>Building From Source</h4>
<p>You can patch bash with one command using our bash patcher, just run the following command and you should be good to go!</p>
<p>Make sure you have patch installed before you run this command. <code>sudo apt-get install patch (yum install patch) etc...</code>
<pre>curl https://shellshocker.net/fixbash | sh</pre>
<p>If you want to do it yourself, feel free. Here are all the commands you'll need.</p>
<pre>cd ~/
mkdir bash
cd bash
wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
#download all patches
while [ true ]; do i=`expr $i + 1`; wget -N https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i); if [ $? -ne 0 ]; then break; fi; done
tar zxvf bash-4.3.tar.gz
cd bash-4.3
for p in `ls ../bash43-[0-9][0-9][0-9]`; do patch -p0 < $p; done
./configure && make && make install
</pre>
<h4>OS X</h4>
<p>If you're running OS X, Apple has released official patches for <a target="_blank" href="http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US">Mavericks</a>, <a target="_blank" href="http://support.apple.com/kb/DL1768">Mountain Lion</a> and <a target="_blank" href="http://support.apple.com/kb/DL1767">Lion</a>.</p>
<p>You can also download and compile bash yourself using <a target="_blank" href="http://brew.sh/#install">brew</a> or <a target="_blank" href="https://www.macports.org/install.php">MacPorts</a>.</p>
<p>We recommend using brew - Go to <a target="_blank" href="http://brew.sh/#install">http://brew.sh/</a> and install brew on your system.</p>
<p>Once you have brew installed, run the following commands to update your system</p>
<pre>brew update
brew install bash
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash
</pre>
<p>If you're using
<strong>MacPorts</strong>, run the following:</p>
<pre>sudo port selfupdate
sudo port upgrade bash
</pre>
<p>Once you've updated, try the exploit again and report back your findings.</p>
<a name="api"></a>
</div></div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-code"></i> API</h3>
</div>
<div class="panel-body">
<p>If you're a third party developer and you'd like to integrate shellshocker into your application (perfect for browser extensions), here is the API.</p>
<h4>Shock API</h4>
<p>Send a <strong>GET</strong> or <strong>POST</strong> request to:</p>
<pre>https://shellshocker.net/shock?url=https://example.com</pre>
<p>You will get a JSON object with a <strong>status</strong> and a <strong>message</strong>.
<p><strong>status</strong> of 0 (Failure) with a failure <strong>message</strong>. <strong>status</strong> of 1 (Vulnerable) with a <strong>message</strong>. <strong>status</strong> of 2 (Maybe) and a <strong>message</strong>. <strong>status</strong> of 3 (404 or 403) and the response <strong>message</strong>.</p>
<h4>Shock Stats API</h4>
<p>Send a <strong>GET</strong> request to:</p>
<pre>https://shellshocker.net/stats</pre>
<p>You will get a JSON object with <strong>total_vulnerable</strong> and <strong>total</strong> tests.
<p><strong>Please note: If you use our API, please provide a link back to this page and let your users know that the results are provided by shellshocker.net. If you do not, we will revoke API requests from your utility.</strong></p>
<a name="comment"></a>
</div></div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-exclamation-triangle"></i> Server Admins</h3>
</div>
<div class="panel-body">
<p>Welcome! You're probably here because you see messages in your access logs that look like this:</p>
<pre>#Your system may be vulnerable to ShellShock. Please visit https://shellshocker.net/ for more information.</pre>
<p>No need to worry, everything you need to know is on this page. Learn how to test and patch your server, just <a href="#fix">click here</a> to get started.</p>
</div></div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><i class="fa fa-comments"></i> Comments</h3>
</div>
<div class="panel-body">
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_shortname = 'shellshocker'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script');
dsq.type = 'text/javascript';
dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a>
</noscript>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</div></div>
<!-- /container -->
<script type="text/javascript">
var addthis_share = addthis_share || {}
addthis_share = {
passthrough: {
twitter: {
via: "shellshockernet"
}
}
}
</script>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- shellshocker.net -->
<ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-1808672741905857" data-ad-slot="8928803123" data-ad-format="auto"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<p style="text-align:center"><small>Like the site? bitcoin: <a href="bitcoin:16fRZC2r4Nwn6fxMnXfPvNdJLgWpvaiVTG">16fRZC2r4Nwn6fxMnXfPvNdJLgWpvaiVTG</a></small></p>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script src="/shellshock.min.js?rev=09292014-336pm"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js"></script>
<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5423ce5b6319e090" async></script>
<!-- Piwik -->
<script type="text/javascript">
var _paq = _paq || [];
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//shellshocker.net/analytics/piwik/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', 1]);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
})();
</script>
<noscript><p><img src="//shellshocker.net/analytics/piwik/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->
</body>
</html>