Or cpanels suid scripts that invoke bash? :)

On Tue, Sep 30, 2014 at 11:05 AM, Georgi Guninski <guninski@guninski.com> wrote:
On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote:
> On Sep 30, 2014 3:40 PM, "Georgi Guninski" <guninski@guninski.com> wrote:
> >
> > If I had a budget for buying sploits, I would
> > pay much more for shockshell than for HB, might be wrong.
>
> This is a really good metric. It instantly combines utility with potential
> etc.
>
> HB obtains you the root password, too. Maybe you have to wait for the admin
> to log in, but still. It also doesn't leave a trace, which is neat.
>

Is there a reference that HB _alone_ gets you the root password?
Maybe I am dumb, but don't see way to get the root password in
 sound setup even if I can ptrace() httpd.


> HB gets you exploits for some very serious competitors. Shellshock only for
> silly competition and, unless they're really silly, requires another
> exploit for root.
>

Probably shellshock will give you root via DHCP and
for another root exploit you might try to shock suid stuff :)

On the web the myriads of buggy cgi's probably can compete
with shellshock, though it is more universal and allegedly
works for significant amount of daemons.


> So.. it depends! On too much. For me personally shellshock is an easier
> exploit but heartbleed can be way more fun. Hmm... have to go with
> heartbleed in the end. Real users often use the same password, so that'd
> let me take open wifi users by surprise. If you'd want you can take
> servers, even though it's a tease harder.



--
--------
Phone: 1 (434) 933-2867
Skype: deatos2k
My Website: http://www.deatoslabs.com
My Security Blog: http://deatos.blogspot.com