I was able to use the bash shellshock vulnerability last week to manually find a vulnerability in a web server through the HTTP User-agent. If you can do something manually there is a good chance that it can be done programmatically. This python program is an extension of that belief.
This program has three simple parts: an ICMP network listener, a urllib2 HTTP request generator, and a simple parser that displays the results. Why ICMP? 5 ping packets generated from a vulnerable server should not be a huge burden. Isn’t urllib2 pretty dated? It really is, but it ignores SSL certificate issues so I didn’t have to handle HTTPS requests differently from the HTTP requests.
This isn’t weaponized at all, while it can be weaponized pretty easily that is up to you and we don’t recommend testing this on an address that you aren’t authorized to use. Metasploitable2 has a shellshock User-agent vulnerability if you want to test this on a controlled network.
Usage – python shellshockUAScanner.py -r <CIDR range> -t <number of threads *default is 16> -i <interface *default is eth0>
shellshockUAScanner – source code