Category Archives: Security

ShellShock Shock

Posted on by 0 comment

With all the hype on shellshock I thought I’d write something up, try some hacks, find some examples.

In essence I see shell shock as a command injection vulnerability which I cannot see being anywhere near as bad as heartbleed and I’ll explain my reasoning throughout this post.

Vulnerable:
So from all the reading I’ve done most bash versions prior to being patched for ShellShock are vulnerable and will loose out when given the standard test
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
also from what I’ve read most versions of BusyBox are not included.

So now we know what is vulnerable lets have a look at what’s exploitable; and what’s exploitable remotely.

According to the redhat blog https://access.redhat.com/articles/1200223

The exploitable services are most likely:

  • httpd
  • Secure Shell (SSH)
  • dhclient
  • CUPS
  • sudo
  • Firefox
  • Postfix

 

So now lets look at the possibly remotely exploitable set.

  • httpd
  • Secure Shell (SSH)
  • dhclient
  • CUPS
  • Postfix

 

Now this list is still somewhat deceptive, SSH sounds remotely exploitable but in reality you need to be authenticated first so we can take that out of the list. dhclient this will provide much fun especially at SANS conferences and such when everyone is using kali liveCDs but dhcp isn’t really an internet protocol so we can rule that one out for this purpose. And we can put CUPS in a similar drawer, we could create a maliciously named printer but according to the redhat blog it would be a small set of conditions but no-one uses CUPS over the internet. Lastly postfix in my opinion it would just be bad programming to let your email server set system variables and the redhat blog tends to agree.  I actually run nginx on this blog and haven’t found any exploits referencing I did find this release by the nginx team(http://nginx.com/blog/nginx-cve-2014-6271-bash-advisory/) which ultimately leaves HTTPD/Apache.

Now according to the redhat blog mod_php, mod_perl, and mod_python are unaffected I have also tested mod_fastCGI and couldn’t get an exploit, so this leaves the standard mod_CGI. So we’ve cut our list down from ~90% of vulnerable targets to just those exploitable targets running antiquated mod_CGI pages. So although the vulnerability was more widespread than heartbleed the exploitability definitely is nowhere near it, even though the damage can be much worse.

 

And just because we’re still phishing for logos for ShellShock I’d like to propose a blue koopa shell from Mario;

MKwii_Blueshell

Category: Python, Security, Software | Tags: , , ,

Unlocked Windows Tools

Posted on by 0 comment

I was reading about the iKAT tools; I came across their set of binaries that don’t obey GP. These are awesome and if you couple them with the base64 file encoding proxy I wrote a while ago. With this you should be able to get full cmd access on just about any environment where you have internet access. the tools included in the iKAT package are:
cmd.exe
command.com
control.exe
cscript.exe
explorer.exe
ipconfig.exe
osk.exe
rasphone.exe
regedit.exe
runonce.exe
sc.exe
taskman.exe
taskmgr.exe
wscript.exe
And the complete zip is mirrored here.

Category: Security, Software, Windows | Tags: , , , ,

The Adventure Begins

Posted on by 0 comment

So I have just ordered my PIC microprocessor and a couple of other things and I plan on making a small usb keylogger speaking of which http://hakshop.myshopify.com/products/usb-rubber-ducky is freaking awesome 🙂 I’ll upload a copy of my PIC order once I fix my permissions on my wordpress install

Category: C, Hardware, Security, USB | Tags: