Commix Automated All-in-One OS Command Injection and Exploitation Tool

General Information

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

Disclaimer

The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!!

Upload Shells

Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check 'upload shells' wiki page.

Modules Development

Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs? You can easily develop and import our own modules. For more, check 'module development' wiki page.

Command Injection Testbeds

A collection of pwnable VMs, that includes web apps vulnerable to command injections.

• Damn Vulnerable Web App (DVWA)
• Xtreme Vulnerable Web Application (XVWA)
• OWASP: Mutillidae
• bWAPP: bee-box (v1.6)
• Persistence
• Pentester Lab: Web For Pentester
• Pentester Lab: CVE-2014-6271/Shellshock
• Pentester Lab: Rack Cookies and Commands injection
• Pentester Academy: Command Injection ISO: 1
• SpiderLabs: MCIR (ShelLOL)
• Kioptrix: Level 1.1 (#2)
• Kioptrix: 2014 (#5)
• Acid Server: 1
• Flick: 2
• w3af-moth
• commix-testbed  

download link : https://github.com/stasinopoulos/commix  

How to install :

Proof of concept : 

HTTP Denial of Service Range Header Integer Overflow.

HTTP.sys Denial of Service (MS15-034 /CVE-2015-1635) Range Header Integer Overflow.

The vulnerability is due to crafted HTTP request by passing large value in Range header, IIS fails to validate the value properly leading to Denial of Service (Unresponsive or Blue Screen of Death) and possible Code Execution.
To trigger the vulnerability request a resource which must be present on the IIS web server, I used sample files (img.jpg, index.html in this demo.)
To understand the risk it is import to know what HTTP.sys does. Here is what Microsoft’s documentation has to say about it.

According to the published Microsoft Security Bulletin, MS15-034 is a remote code execution vulnerability caused by HTTP.sys improperly parsing specially crafted HTTP requests. Specifically this exploit can be triggered using the Range header of an HTTP request, causing an Integer overflow. While the bulletin indicates Remote Code Execution is possible (and as such rates this vulnerability as Critical), so far I have only been able to generate a Denial of Service condition and have not yet seen any RCE code in the wild (though I’m sure someone is working hard at it). Before I get into the details of the vulnerability, let’s take a quick look at HTTP.sys and its purpose.

Range Header:

This vulnerability can be triggered via the Range header. The Range header is used in an HTTP request to return a portion (or range of bytes) of a given resource. Take for example, the following requests that illustrate how to obtain a index.html file using the Range header.
HTTP.sys provides the following benefits:

Kernel-mode caching. Requests for cached responses are served without switching to user mode.

Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.

Request pre-processing and security filtering.

Because the software is running in kernel mode successful exploitation can have serious consequences for the system. Unlike exploits in user mode software, kernel mode exploits may bypass memory protections, possibly allowing an attacker to cause a system crash. Microsoft indicates the vulnerability could allow remote code execution, and published work others have does that is currently circulation appears to offer partial confirmation. If this proves to be true the vulnerability could be used to obtain system level access.

How it works:

The vulnerability is very similar to those that have been seen in the Apache web server in the past. A value is passed to the HTTP Range header that will over flow the 64-bit integer the software allocates to store it, when converted from the text of the HTTP request. Normally the Range header is used by clients to request part of a document. Trigging the overflow may allow an attacker to cause memory or file access outside the expected boundaries.
Original PoC was posted on Vulnerability in “HTTP.sys Could Allow Remote Code Execution”. 


Proof of concept :

step 1 : kali linux run only system

step 2 : wget --header="range: bytes= 18-18446744073709551615" http://website link