ShellShock challenge experiments
Experimental environment
laboratory building
Download the new version, install bash 4.1
After installed, check whether there are loopholes in shellshock
appeared vulnerable, found loopholes
He began to experiment
Attack Set-UID program
Compile the following code
#include <stdio.h>
void main()
{
setuid(geteuid()); // make real uid = effective uid.
system("/bin/ls -l");
}
He began to hack
continue to hack
discovered attack failed, indicating that if the real uid and the effective uid of the same words, the definition of the content in the environment variable takes effect within the program, as shellshock vulnerabilities can be utilized.
Simplify what logic code attack
void initialize_shell_variables(){
for (string_index = 0; string = env[string_index++]; ) {
/* 如果有export过的函数, 在这里定义 */
/* 无法导入在特权模式下(root下)定义的函数 */
if (privmode == 0 && read_but_dont_execute == 0 &&
STREQN (“() {“, string, 4)) {
[...]
// 这里是shellshock发生的地方
// 传递函数定义 + 运行额外的指令
parse_and_execute (temp_string, name,
SEVAL_NONINT|SEVAL_NOHIST);
[...]
} }to sum up
The whole process is relatively smooth, previously just to understand some attacks, but concrete is not too deep, but this time after a laboratory building, much better.