sure... we have centralized everything. what we sysadmins do have are pubkeys all over the place. so how do we figure out how much of a pain patching for the many shellshock and aftershock systems that are on our networks?
well crap. first is enumerate. yank the dns zone files, clean them up and feed them into:
shocking.sh
#!/bin/bash
datestamp=$(date +"%m-%d-%Y")
for ip_addr in $(cat strippedzonefile) ; do
ping -q -c 1 $ip_addr &&
bash -c "
echo \" *** $ip_addr *** \" >> output ;
scp -B theshocker.sh root@$ip_addr:/root/ >> output ;
ssh -v -o ConnectTimeout=1 -o BatchMode=yes -o ConnectionAttempts=1 \
-o PasswordAuthentication=no root@$ip_addr \
/bin/bash -c /root/theshocker.sh >> output ;
echo \"done\"
"
done
cat output | mail -s "shellshock and aftershock report $datestamp" you@somewhere
which scp's and executes
theshocker.sh
#!/bin/sh
SHELLSHOCK=`env x='() { :;}; echo true' /bin/bash -c "" 2>/dev/null`
AFTERSHOCK=`env var='() {(a)=>\' /bin/bash -c "echo date | grep -v date" 2>/dev$`
if [ -n "$SHELLSHOCK" ]
then
echo "cve-2014-6271 vulnerability detected - shellshock";
else
echo "cve-2014-6271 not detected - shellshock"
fi
if [ -n "$AFTERSHOCK" ]
then
echo "cve-2014-7169 vulnerability detected - aftershock";
else
echo "cve-2014-7169 not detected - aftershock"
fi
which outputs to
output:
*** 192.168.6.199 ***
cve-2014-6271 vulnerability detected - shellshock
cve-2014-7169 vulnerability detected - aftershock
*** 192.168.6.20 ***
*** 192.168.6.21 ***
you get the picture.
No comments:
Post a Comment