Shocker is a tool to find and exploit servers vulnerable to Shellshock
\nReleased as open source by NCC Group Plc – https:\/\/www.nccgroup.trust\/
\nDeveloped By: Tom Watson, tom [dot] watson [at] nccgroup [dot] trust
\nhttps:\/\/github.com\/nccgroup\/shocker
\nHelp Text
\nusage:<\/p>\n
shocker.py\n-h, --help show this help message and exit\n--Host HOST, -H HOST A target hostname or IP address\n--file FILE, -f FILE File containing a list of targets\n--port PORT, -p PORT The target port number (default=80)\n--exploit EXPLOIT, -e EXPLOIT Command to execute (default=\/bin\/uname -a)\n--cgi CGI, -c CGI Single CGI to check (e.g. \/cgi-bin\/test.cgi)\n--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'\n--ssl, -s Use SSL (default=False)\n--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)\n--verbose, -v Be verbose in output\n<\/pre>\nUsage Examples<\/p>\n
.\/shocker.py -H 127.0.0.1 -e \"\/bin\/cat \/etc\/passwd\" -c \/cgi-bin\/test.cgi\n<\/pre>\nScans for http:\/\/127.0.0.1\/cgi-bin\/test.cgi and, if found, attempts to cat \/etc\/passwd<\/p>\n
.\/shocker.py -H www.example.com -p 8001 -s\n<\/pre>\nScan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found<\/p>\n
.\/shocker.py -f .\/hostlist\n<\/pre>\nScans all hosts listed in the file .\/hostlist with the default options
\nDependencies<\/strong>
\nPython 2.7+
\nTodo:<\/strong><\/p>\n\n
- Identify and respond correctly to HTTP\/200 response – false positives – Low priority\/hassle<\/li>\n
- Implement curses for *nix systems – For the whole application or only psuedo terminal? – Low\u00a0priority\/prettiness.<\/li>\n
- Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)<\/li>\n
- Change verbose to integer value – quiet, normal, verbose, debug?<\/li>\n
- Add option to skip initial host checks for the sake of speed?<\/li>\n
- Add a summary of results before exiting<\/li>\n
- Save results to a file? Format?<\/li>\n
- Eventually the idea is to include multiple possible vectors but currently only one is checked.<\/li>\n
- Add Windows and *nix colour support – Low priority\/prettiness<\/li>\n
- Add a timeout in interactive mode for commands which don’t return, e.g. \/bin\/cat \/dev\/zero<\/li>\n
- Prettify – Low priority\/pretinness (obviously)<\/li>\n
- Add support for scanning and explointing SSH and SMTP https:\/\/isc.sans.edu\/diary\/Shellshock+via+SMTP\/18879<\/li>\n
- Add SOCKS proxy support, potentially using https:\/\/github.com\/rpicard\/socksonsocks\/ from Rober Picard<\/li>\n
- Other stuff. Probably.<\/li>\n<\/ul>\n