Thursday, April 9, 2015

What's in the honeypot? Advanced Information Security Shellshock Scanner

In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-2014-6271.


After using google to identify some of the "cgi" files I noticed a tool that they had utilized to scan the honeypot.  The tool is located on packet storms site at the following location.

The tool is called the "Advanced Information Security Shellshock Scanner" or AIS.  It is a c program that can be compiled to then scan multiple computers based on IP Addresses.  The program was authored by "Nicholas Lemonias" and posted Oct. 3, 2014.

A little about "Nicholas Lemonias".  I was able to find his Google+ page as shown below:
Also viewing his author page at packet storm and many other pages he has created quite the collection of exploits.

Well back to the curiosity of the cgi files.  I wanted to go through some of them and search google and try and identify what software, hardware, or device that it may reside on that they are trying to exploit.  The following is a list of the cgi files with the products listed next to them:

""/agora.cgi" - Agora Shopping Cart - Currently version 6.0
"/aktivate/cgi-bin/catgy.cgi" - Aktivate Shopping Cart - Exploits date back to 2002 - Inactive
"/apps/web/vs_diag.cgi" - Banshee DAAP Extension for the Media Player - Active
"/axis-cgi/buffer/command.cgi" - Axis Communications Video Server 
"/cartcart.cgi" - ?? Found that multiple sites have this file
"/ccbill/whereami.cgi" - Related to a credit card billing site - Exploits date back to 2003
"/cgi-bin/boozt/admin/index.cgi" - Boozt! Clothing Store
"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi" - Cobalt RaQ Servers - Inactive
"/cgi-bin/ezshopper/search.cgi" - EZ Shopper

So taking a quick sample of the cgi scripts that are searched for, I find that this is a very inefficient tool.  It scans for cgi files that are specific to shopping sites.  A couple of them were for shopping carts that would be downloaded and installed.  To make this script more efficient I would find the widely available cgi files verses having more specific ones.  So if I was to give the tool a grade I would give it the following:


If I was to give the script kiddie a grade that was using it, they would receive an "F" for failing to do reconnaissance on a site first rather than just throwing a tool at it.






No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...