{"id":5,"date":"2014-10-30T21:23:39","date_gmt":"2014-10-30T13:23:39","guid":{"rendered":"http:\/\/blog.haostudio.net\/hwp\/?p=5"},"modified":"2017-07-25T00:26:25","modified_gmt":"2017-07-24T16:26:25","slug":"building-bash-from-source-%e8%a3%9c-shellshock-%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/blog.haostudio.net\/hwp\/building-bash-from-source-%e8%a3%9c-shellshock-%e6%bc%8f%e6%b4%9e\/","title":{"rendered":"Building bash from source"},"content":{"rendered":"\n

Building bash from source (\u88dc Shellshock \u6f0f\u6d1e)<\/h1>\n

\u524d\u8a00<\/h1>\n

\u4e00\u822c\u4f86\u8aaa, \u4f7f\u7528\u8005\u53ea\u8981\u66f4\u65b0bash \u5c31\u53ef\u89e3\u6c7ashellshock\u6f0f\u6d1e, \u4f46\u662f\u6211\u7684ARM Cubieboard \u958b\u767c\u7248\u7528\u7684Debian\u7248\u672c\u4e00\u76f4\u90fd\u6c92\u6709\u51fa\u66f4\u65b0, \u6240\u4ee5\u6211\u53ea\u597d\u81ea\u5df1\u624b\u52d5\u4f86\u88dc\u6f0f\u6d1e.<\/p>\n

\u6aa2\u67e5\u6f0f\u6d1e<\/h1>\n

\u9996\u5148\u6aa2\u67e5\u4f60\u7684bash \u7248\u672c<\/p>\n

root@cb1:~# bash --version\nGNU bash, version 4.2.37(1)-release (arm-unknown-linux-gnueabihf)\nCopyright (C) 2011 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\n\nThis is free software; you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n<\/code><\/pre>\n
\u9019\u662f4.2.37\u7248<\/p>\n
\u78ba\u8a8d\u662f\u5426\u6709ShellSshock \u6f0f\u6d1e<\/p>\n
root@cb1# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"\nvulnerable\nthis is a test\n<\/code><\/pre>\n
\u82e5\u51fa\u73fe\n“vulnerable”<\/em> \u8868\u793a\u6709\u6f0f\u6d1e<\/p>\n
\u7de8\u8b6fBash<\/h1>\n
\u5b89\u88dd\u5fc5\u8981\u5957\u4ef6<\/p>\n
apt-get install  gcc make autoconf byacc\n<\/code><\/pre>\n
\u4e0b\u8f09bash 4.2 \u7248source code<\/p>\n
cd ~\nmkdir bash\ncd bash\nwget http:\/\/ftp.gnu.org\/gnu\/bash\/bash-4.2.tar.gz\ntar -xvzf bash-4.2.tar.gz\ncd bash-4.2\n<\/code><\/pre>\n
\u6aa2\u67e5\u9019\u500b\u7248\u672c\u662f\u5c1a\u672apatch\u904e\u7684<\/p>\n
cat patchlevel.h\n<\/code><\/pre>\n
\u4f60\u53ef\u4ee5\u770b\u5230\u6a94\u6848\u5167\n#define PATCHLEVEL 0<\/em> \u8868\u793a\u6c92\u6709\u88abpatch\u904e<\/p>\n
\u63a5\u4e0b\u4f86\u6293\u53d6\u5404\u7248\u672c\u7684patch \u6a94\u6848<\/p>\n
cd ..\nwget -r -l 1 http:\/\/ftp.gnu.org\/gnu\/bash\/bash-4.2-patches\/\n<\/code><\/pre>\n
\u79fb\u9664\u4e0d\u5fc5\u8981\u7684patch\u6a94\u6848<\/p>\n
rm ftp.gnu.org\/gnu\/bash\/bash-4.2-patches\/*.sig\nrm ftp.gnu.org\/gnu\/bash\/bash-4.2-patches\/index*\n<\/code><\/pre>\n
Patch Bash source code.<\/p>\n
cd bash-4.2\nfor i in ~\/bash\/ftp.gnu.org\/gnu\/bash\/bash-4.2-patches\/*; do patch -p0 < $i; done\n<\/code><\/pre>\n
\u518d\u6aa2\u67e5patchlevel.h \u6a94\u6848, \u78ba\u8a8d\u5df2\u7d93patch\u904e\u4e86<\/p>\n
cat patchlevel.h\n<\/code><\/pre>\n
\u958b\u59cb\u7de8\u8b6fsource code<\/p>\n
.\/configure\nmake\n<\/code><\/pre>\n
\u5b89\u88ddBash<\/h1>\n
\u9996\u5148\u5099\u4efd\u820a\u7684\u7248\u672c<\/p>\n
cp \/bin\/bash \/bin\/bash.old\n<\/code><\/pre>\n
\u5b89\u88ddbash<\/p>\n
make install\n<\/code><\/pre>\n
\u6216\u8005\u662f\u5c07\u76ee\u9304\u4e0b\u7684bash \u6a94\u8986\u84cb\u820a\u7684bash\u6a94\u6848 \u4e5f\u53ef\u4ee5<\/p>\n
cp bash \/bin\/bash\n<\/code><\/pre>\n
logout \u5f8c\u518dlogin, \u6aa2\u67e5bash \u7248\u672c\u662f\u5426\u5df2\u7d93\u66f4\u65b0.<\/p>\n
root@cb1:~# bash --version\nGNU bash, version 4.2.53(1)-release (armv7l-unknown-linux-gnueabi)\nCopyright (C) 2011 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\n\nThis is free software; you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\nroot@cb1camera:~#\n<\/code><\/pre>\n
\u55ef, \u7248\u672c\u5df2\u7d93\u66f4\u65b0\u52304.2.53<\/p>\n
\u518d\u6aa2\u67e5\u662f\u5426\u9084\u6709shellshock\u6f0f\u6d1e<\/p>\n
root@cb1:~# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"\nthis is a test\n<\/code><\/pre>\n
YA! \u6c92\u770b\u5230\n“vulnerable”<\/em> \u8868\u793a\u6f0f\u6d1e\u5df2\u7d93\u88dc\u597d\u4e86.<\/p>\n
\n
\u53c3\u8003\u8cc7\u6599<\/h3>\n
    \n
  1.  Building Bash From Source <\/a><\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4,3],"class_list":["post-5","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bash","tag-shell"],"_links":{"self":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/5","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/comments?post=5"}],"version-history":[{"count":8,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/5\/revisions"}],"predecessor-version":[{"id":425,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/5\/revisions\/425"}],"wp:attachment":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/media?parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/categories?post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/tags?post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}