bashwrapper.c: Check environment variables for shellshock exploit

/***********************************************************************
 * bashwrapper.c: Check environment variables for shellshock exploit   *
 *                                                                     *
 * Move /bin/bash to /bin/bash.real                                    *
 * Install bashwrapper as /bin/bash                                    *
 * Monitor your syslog log files                                       *
 *                                                                     *
 * v2014.09.26                                                         *
 *                                                                     *
 * https://malwaremusings.com/supporting-files/bashwrapper-c/           *
 ***********************************************************************/

#include <regex.h>
#include <unistd.h>
#include <syslog.h>

#define VERBOSE 1
#define REGEX "() {[[:space:]][^}]*;[[:space:]]*}[[:space:]]*;"
#define REALBASH "/bin/bash.real"

int main(int argc,char *argv[],char *envp[]) {
        int i = 0;                      /* index in to environment variables array              */
        regex_t patternbuff;            /* regular expression pattern buffer                    */

        /* open syslog                                                                          */
        /* we'll log to syslog so alerting software can look for our log messages               */
        openlog("bashwrapper",LOG_PID,LOG_USER);

        /* compile the regular expression                                                       */
        int r = regcomp(&patternbuff,REGEX,0);

        /* if we start by assuming that nothing will match, and then perform a bitwise          */
        /* and with every regular expression match result, then any match (return 0)            */
        /* will change this variable in a way that we can detect later                          */
        int matches = REG_NOMATCH;

        /* log the parent process id so we know which process was used to exploit bash          */
        int ppid = getppid();

        /* only run the regular expression check if it compiled ok                              */
        if (r == 0) {
                /* i is index in to the environment variable array */
                i = 0;

                while (envp[i]) {
                        /* see if our regular expression matches */
                        r = regexec(&patternbuff,envp[i],0,NULL,0);

                        /* we want matches to still be REG_NOMATCH at the end                   */
                        /* by performing a bitwise AND, any change from REG_NOMATCH             */
                        /* will be recorded                                                     */
                        matches &= r;

                        /* log a match here so that we can log the var that matched             */
                        if (r == 0) {
                                syslog(LOG_WARNING,"bashwrapper (ppid: %d) detected possible shellshock exploit: %s",ppid,envp[i]);
                        }
                        i++;
                }
        } else {
                /* log a failed regular expression compilation so that we are not led in to     */
                /* a false sense of security                                                    */
                syslog(LOG_WARNING,"bashwrapper (ppid: %d) regular expression failed to compile",ppid);
        }

        /* if none of the environment strings matched, exec() the real bash                     */
        if (matches == REG_NOMATCH) {
#if VERBOSE
                syslog(LOG_INFO,"bashwrapper (ppid: %d) starting real bash",ppid);
#endif
                closelog();
                execv(REALBASH,argv);

                /* if we get here, then something went wrong                                    */
                syslog(LOG_WARNING,"bashwrapper (ppid: %d) failed to exec() real bash",ppid);
#if VERBOSE
        } else {
                syslog(LOG_WARNING,"bashwrapper (ppid: %d) NOT running real bash",ppid);
#endif
        }
        closelog();

        /* return 1, because if we get here, we didn't exec() for some reason                   */
        return 1;
}

One comment on “bashwrapper.c: Check environment variables for shellshock exploit

  1. Pingback: Mitigating Shellshock: A wrapper to protect bash | Malware Musings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s