Monday, October 13, 2014

the shocker

sure... we have centralized everything. what we sysadmins do have are pubkeys all over the place. so how do we figure out how much of a pain patching for the many shellshock and aftershock systems that are on our networks? well crap. first is enumerate. yank the dns zone files, clean them up and feed them into:
shocking.sh
  #!/bin/bash   
datestamp=$(date +"%m-%d-%Y")
  for ip_addr in $(cat strippedzonefile) ; do   
  ping -q -c 1 $ip_addr &&   
  bash -c "   
   echo \" *** $ip_addr *** \" >> output ;   
   scp -B theshocker.sh root@$ip_addr:/root/ >> output ;   
   ssh -v -o ConnectTimeout=1 -o BatchMode=yes -o ConnectionAttempts=1 \  
      -o PasswordAuthentication=no root@$ip_addr \  
       /bin/bash -c /root/theshocker.sh >> output ;   
   echo \"done\"   
  "   
  done   
cat output | mail -s "shellshock and aftershock report $datestamp" you@somewhere
which scp's and executes theshocker.sh
 #!/bin/sh  
 SHELLSHOCK=`env x='() { :;}; echo true' /bin/bash -c "" 2>/dev/null`  
 AFTERSHOCK=`env var='() {(a)=>\' /bin/bash -c "echo date | grep -v date" 2>/dev$`  
 if [ -n "$SHELLSHOCK" ]  
 then  
 echo "cve-2014-6271 vulnerability detected - shellshock";  
 else  
 echo "cve-2014-6271 not detected - shellshock"  
 fi  
 if [ -n "$AFTERSHOCK" ]  
 then  
 echo "cve-2014-7169 vulnerability detected - aftershock";  
 else  
 echo "cve-2014-7169 not detected - aftershock"  
 fi  
which outputs to output:
*** 192.168.6.199 ***
cve-2014-6271 vulnerability detected - shellshock
cve-2014-7169 vulnerability detected - aftershock
 *** 192.168.6.20 ***
 *** 192.168.6.21 ***
you get the picture.
Post a Comment