bashwrapper.c: Check environment variables for shellshock exploit
/***********************************************************************
* bashwrapper.c: Check environment variables for shellshock exploit *
* *
* Move /bin/bash to /bin/bash.real *
* Install bashwrapper as /bin/bash *
* Monitor your syslog log files *
* *
* v2014.09.26 *
* *
* https://malwaremusings.com/supporting-files/bashwrapper-c/ *
***********************************************************************/
#include <regex.h>
#include <unistd.h>
#include <syslog.h>
#define VERBOSE 1
#define REGEX "() {[[:space:]][^}]*;[[:space:]]*}[[:space:]]*;"
#define REALBASH "/bin/bash.real"
int main(int argc,char *argv[],char *envp[]) {
int i = 0; /* index in to environment variables array */
regex_t patternbuff; /* regular expression pattern buffer */
/* open syslog */
/* we'll log to syslog so alerting software can look for our log messages */
openlog("bashwrapper",LOG_PID,LOG_USER);
/* compile the regular expression */
int r = regcomp(&patternbuff,REGEX,0);
/* if we start by assuming that nothing will match, and then perform a bitwise */
/* and with every regular expression match result, then any match (return 0) */
/* will change this variable in a way that we can detect later */
int matches = REG_NOMATCH;
/* log the parent process id so we know which process was used to exploit bash */
int ppid = getppid();
/* only run the regular expression check if it compiled ok */
if (r == 0) {
/* i is index in to the environment variable array */
i = 0;
while (envp[i]) {
/* see if our regular expression matches */
r = regexec(&patternbuff,envp[i],0,NULL,0);
/* we want matches to still be REG_NOMATCH at the end */
/* by performing a bitwise AND, any change from REG_NOMATCH */
/* will be recorded */
matches &= r;
/* log a match here so that we can log the var that matched */
if (r == 0) {
syslog(LOG_WARNING,"bashwrapper (ppid: %d) detected possible shellshock exploit: %s",ppid,envp[i]);
}
i++;
}
} else {
/* log a failed regular expression compilation so that we are not led in to */
/* a false sense of security */
syslog(LOG_WARNING,"bashwrapper (ppid: %d) regular expression failed to compile",ppid);
}
/* if none of the environment strings matched, exec() the real bash */
if (matches == REG_NOMATCH) {
#if VERBOSE
syslog(LOG_INFO,"bashwrapper (ppid: %d) starting real bash",ppid);
#endif
closelog();
execv(REALBASH,argv);
/* if we get here, then something went wrong */
syslog(LOG_WARNING,"bashwrapper (ppid: %d) failed to exec() real bash",ppid);
#if VERBOSE
} else {
syslog(LOG_WARNING,"bashwrapper (ppid: %d) NOT running real bash",ppid);
#endif
}
closelog();
/* return 1, because if we get here, we didn't exec() for some reason */
return 1;
}
Like this:
Like Loading...
My Github activity
Malware Musings 
Pingback: Mitigating Shellshock: A wrapper to protect bash | Malware Musings