current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 2 down vote favorite
1

I am interested in testing for shellshock vulnerable machines that I don't have shell access to on my LAN's and WAN's such as IPMI cards and Internet of things devices. What is the best way to remotely verify the vulnerability on machines? Does anybody have a simple shell script that can be run?

I want to avoid using any websites that do this test as they may actually take advantage of the information gained by running the tests on vulnerable machines.

share|improve this question

closed as too broad by Gilles, Anthon, slm Sep 26 at 7:27

There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.If this question can be reworded to fit the rules in the help center, please edit the question.
    
Hmm... is it possible to test something remotely on the internet, without shell server, http server, telnet server, or any other kind of socket listening? –  Adionditsak Sep 25 at 18:31
    
There are many black box devices out there with web services but no shell. These types of devices are listening for some services. An example are IPMI cards. –  JavaScriptDude Sep 25 at 18:40
    
Maybe worth trying? Uses masscan, but you can select the IP ranges. blog.erratasec.com/2014/09/… Note: I haven't tried that myself. –  Sebastian Sep 25 at 18:43
    
Shellshock isn't directly remotely exploitable or testable. You need to be running a service which exposes something that triggers bash. Testing for it will depend on what kind of services the machine provides. Embedded systems rarely have bash in the first place anyway. –  Gilles Sep 26 at 0:16
    
True. Busybox or other monolithic *nix toolkits are not susceptible to this particular venerability and most embeded systems will use such a system. I'm feeling guilty now for cursing busybox so much previously. –  JavaScriptDude Sep 26 at 3:53