request for help - curl | bash exploit PoC - something is not working

xuanbao · · 567 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>See the ~130 lines of code here: <a href="https://github.com/sethgrid/exploit">https://github.com/sethgrid/exploit</a></p> <p>Based on a recent HN post and a top comment, you should be able to get two different outputs from `curl $URL` vs `curl $URL | bash`. The idea that the bash script should be executed line by line and have one line &#34;phone home&#34; causing the next chunked output to be different than if you did not pipe to bash.</p> <p>My problem: when I pipe to bash with the attached code, bash seems to wait to collect the total output before running. It does not run line-by-line. Did I do something wrong? Does this exploit just not work?</p> <p>EDIT/UPDATE: thanks to <a href="/u/eggsampler">/u/eggsampler</a> - the issue was not filling the write buffer. This also shows the original exploit based on timing to be far more elegant than the phone-home liveness check.</p> <hr/>**评论:**<br/><br/>eggsampler: <pre><p>So you missed part of the exploit which is filling up the sendbuffer which means the output isn&#39;t being written to bash before the curl call finishes.</p> <p>This seems to work: <a href="https://pastebin.com/pZzPnD1b" rel="nofollow">https://pastebin.com/pZzPnD1b</a></p></pre>sethammons: <pre><p>Interesting. Makes sense. I thought filling the buffer was part of the timing method as opposed to the phone home method. Thanks!</p></pre>eggsampler: <pre><p>Yes you&#39;re right in that the filling of the buffer is part of the timing method in the original post, but it is also the phone home method by signalling that it has executed the delay. The idea is that,</p> <ul> <li>you send a chunk with a sleep in it and then send enough to wrap over into a second chunk</li> <li>wait to see how long the client takes to read that next chunk</li> <li>if greater than an approximate latency and close to the innocent code with the sleep in it, it means that the client is executing each line in bash so you send the bad payload</li> <li>otherwise send a good payload</li> </ul> <p>This means you don&#39;t need any callback like you are doing which could potentially give yourself away.</p></pre>

入群交流(和以上内容无关):加入Go大咖交流群,免费领全套学习资料或添加微信:muxilin131420 备注:入群;或加QQ群:729884609

567 次点击  
加入收藏 微博
0 回复
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传