Or cpanels suid scripts that invoke bash? :) On Tue, Sep 30, 2014 at 11:05 AM, Georgi Guninski <[email protected]> wrote:
> On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote: > > On Sep 30, 2014 3:40 PM, "Georgi Guninski" <[email protected]> > wrote: > > > > > > If I had a budget for buying sploits, I would > > > pay much more for shockshell than for HB, might be wrong. > > > > This is a really good metric. It instantly combines utility with > potential > > etc. > > > > HB obtains you the root password, too. Maybe you have to wait for the > admin > > to log in, but still. It also doesn't leave a trace, which is neat. > > > > Is there a reference that HB _alone_ gets you the root password? > Maybe I am dumb, but don't see way to get the root password in > sound setup even if I can ptrace() httpd. > > > > HB gets you exploits for some very serious competitors. Shellshock only > for > > silly competition and, unless they're really silly, requires another > > exploit for root. > > > > Probably shellshock will give you root via DHCP and > for another root exploit you might try to shock suid stuff :) > > On the web the myriads of buggy cgi's probably can compete > with shellshock, though it is more universal and allegedly > works for significant amount of daemons. > > > > So.. it depends! On too much. For me personally shellshock is an easier > > exploit but heartbleed can be way more fun. Hmm... have to go with > > heartbleed in the end. Real users often use the same password, so that'd > > let me take open wifi users by surprise. If you'd want you can take > > servers, even though it's a tease harder. > -- -------- Phone: 1 (434) 933-2867 Skype: deatos2k My Website: http://www.deatoslabs.com My Security Blog: http://deatos.blogspot.com
