Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec

2014-09-26 17:06:23 -05:00 · 2014-09-26 17:06:23 -05:00 · c75a0185ec
parent 80d9af9b49 3259509a9c
commit c75a0185ec
2 changed files with 34 additions and 4 deletions
--- a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
+++ b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@ -57,10 +57,25 @@ class Metasploit4 < Msf::Auxiliary
        :name => self.name,
        :refs => self.references
      )
-      Exploit::CheckCode::Vulnerable
+      return Exploit::CheckCode::Vulnerable
+    elsif res && res.code == 500
+      injected_res_code = res.code
    else
-      Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Safe
    end
+
+    res = send_request_cgi({
+      'method' => datastore['METHOD'],
+      'uri' => normalize_uri(target_uri.path.to_s)
+    })
+
+    if res && injected_res_code == res.code
+      return Exploit::CheckCode::Unknown
+    elsif res && injected_res_code != res.code
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Unknown
  end

  def run_host(ip)
--- a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
+++ b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@ -69,10 +69,25 @@ class Metasploit4 < Msf::Exploit::Remote
    res = req("echo #{marker}")

    if res && res.body.include?(marker * 3)
-      Exploit::CheckCode::Vulnerable
+      return Exploit::CheckCode::Vulnerable
+    elsif res && res.code == 500
+      injected_res_code = res.code
    else
-      Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Safe
    end
+
+    res = send_request_cgi({
+      'method' => datastore['METHOD'],
+      'uri' => normalize_uri(target_uri.path.to_s)
+    })
+
+    if res && injected_res_code == res.code
+      return Exploit::CheckCode::Unknown
+    elsif res && injected_res_code != res.code
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Unknown
  end

  def exploit