Experimental three-Shellshock attack experiment

Shellshock Attack experiment

First, the experimental description

September 24, 2014, Bash found a serious vulnerability shellshock, which can be used on many systems and can be triggered either remotely or locally. In this experiment, students need to reproduce the attack to understand the vulnerability and answer some questions.

Second, the preparation of knowledge 1. What is Shellshock?

Shellshock, also known as Bashdoor, is a security vulnerability in the widely used bash shell in Unix, which was first disclosed on September 24, 2014. Many Internet daemons, such as Web servers, use Bash to handle certain commands, allowing an attacker to execute arbitrary code on a vulnerable bash version. This could allow an attacker to access the computer system without authorization. --Excerpt from Wikipedia

2. preparation required for the experiment

Prompt installation is successful, you can query

Iii. contents of the experiment

In this experiment, we gain root privileges by attacking the Set-uid program. First, make sure that you have installed a version of Bash with the vulnerability and have/bin/sh point to/bin/bash. Compile the code below and set it as the SET-UID program to ensure that its owner is root. We know that the system () function will invoke "/BIN/SH-C" to run the specified command, which also means that/bin/bash will be called to take advantage of the Shellshock vulnerability.

#include <stdio.h>

void main()

{

Setuid (Geteuid ());

//Make real UID = effective UID. System ("/bin/ls-l");

}

If Setuid (Geteuid ()) statement is removed, and then try to attack, we can not get access to it?

Failed! This means that if the real UID and the effective UID are the same, the content defined in the environment variable is valid within the program, so that the Shellshock vulnerability can be exploited. However, if the two UID is different, the environment variable will not be able to launch an attack, which can be verified from the source code of Bash (VARIABLES.C, between 308 and 369 lines), please indicate which line is causing the difference, and explain the reason for the design of bash.

Third, the experimental experience

This is the last experiment of this semester, the purpose is to let us have a further understanding of the loopholes in the system, the experimental operation process is not complex, follow the steps to produce results, learned that there is no complete security system, in the cracked can continue to improve!

Experimental three-Shellshock attack experiment