adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apache_mod_cgi_bash_env cleanup

Browse Source
This commit is contained in:
h00die
2020-03-28 16:46:55 -04:00
parent 3588c3915b
commit 97ebe82e6c
1 changed files with 61 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.md
+61 -56
View File
@@ -9,74 +9,78 @@ To setup an Environment that the scanner can be run against, follow the below st
vulnerable OS and Apache version.
To ensure that you have a vulnerable version of bash:
1. Install Ubuntu 12.04.5 LTS from ISO (available at: http://cdimage.ubuntu.com/releases/12.04/release/)
2. log into console
3. run
```
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
```
4. The shell will return the below text to confirm that the environment is vulnerable
```
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
```
(NOTE: The next series of commands should be run as root or with sudo) <br>
5. Also install Apache2 from the apt repository with the following command
```
apt-get install apache2
```
6. Enable cgi-mod in apache with the following command
```
ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
```
7. Restart the apache service with the following command
```
service apache2 reload
```
8. In your favorite text editor create a file (as root) in /usr/lib/cgi-bin called test.sh with the following contents
```
#!/bin/bash
printf "Content-type: text/html\n\n"
printf "Test!\n"
```
9. Set the file to be executable with the following command
```
chmod +x /usr/lib/cgi-bin/test.sh
```
1. Install [Ubuntu 12.04.5 LTS](http://cdimage.ubuntu.com/releases/12.04/release/)
2. Log into console
3. Confirm the host is vulnerable (see next section)
4. Also install Apache2 from the apt repository with the following command
```
sudo apt-get install apache2
```
5. Enable cgi-mod in apache with the following command
```
sudo ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
```
6. Restart the apache service with the following command
```
sudo service apache2 reload
```
7. In your favorite text editor create a file (as root) in `/usr/lib/cgi-bin` called `test.sh` with the following contents:
```
#!/bin/bash
printf "Content-type: text/html\n\n"
printf "Test!\n"
```
8. Set the file to be executable with the following command
```
sudo chmod +x /usr/lib/cgi-bin/test.sh
```
### To check if a host is vulnerable to the attack
1. run (on the host)
```
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
```
2. The shell will return the below text if the environment is vulnerable
```
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
```
1. Run (on the host)
```
env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"
```
2. The shell will return the below text if the environment is vulnerable
```
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable'
bash: error importing function definition for `BASH_FUNC_x'
test
```
## Verification Steps
1. Do: run `msfconsole`
2. Do: use `auxiliary/scanner/http/apache_mod_cgi_bash_env`
2. Do: set `RHOSTS [IP]`
3. Do: set `TARGETURI [URI]`
4. Do: `run`
3. Do: set `RHOSTS [IP]`
4. Do: set `TARGETURI [URI]`
5. Do: `run`
## Options
**CMD**
This is the command that will be run by the scanner. The default setting is `/usr/bin/id`.
**CVE**
**CVE**
This is the CVE that will be used to exploit the vulnerability.
The default setting is `CVE-2014-6271` but valid options are CVE-2014-6271 or CVE-2014-6278.
This is the CVE that will be used to exploit the vulnerability.
The default setting is `CVE-2014-6271` but valid options are `CVE-2014-6271` or `CVE-2014-6278`.
**HEADER**
@@ -87,7 +91,9 @@ This is the user agent string that is sent when the module is run. The default s
This is HTTP method used by the module. The default setting is `GET`.
## Scenarios
### Ubuntu 12.04.5 LTS on Apache 2.2.22
```
msf5 > use auxiliary/scanner/http/apache_mod_cgi_bash_env
msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RHOSTS 172.16.131.134
@@ -100,4 +106,3 @@ msf5 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```