Or cpanels suid scripts that invoke bash? :) On Tue, Sep 30, 2014 at 11:05 AM, Georgi Guninski <[1]guninski@guninski.com> wrote: On Tue, Sep 30, 2014 at 03:59:33PM +0200, Lodewijk andré de la porte wrote: > On Sep 30, 2014 3:40 PM, "Georgi Guninski" <[2]guninski@guninski.com> wrote: > > > > If I had a budget for buying sploits, I would > > pay much more for shockshell than for HB, might be wrong. > > This is a really good metric. It instantly combines utility with potential > etc. > > HB obtains you the root password, too. Maybe you have to wait for the admin > to log in, but still. It also doesn't leave a trace, which is neat. > Is there a reference that HB _alone_ gets you the root password? Maybe I am dumb, but don't see way to get the root password in sound setup even if I can ptrace() httpd. > HB gets you exploits for some very serious competitors. Shellshock only for > silly competition and, unless they're really silly, requires another > exploit for root. > Probably shellshock will give you root via DHCP and for another root exploit you might try to shock suid stuff :) On the web the myriads of buggy cgi's probably can compete with shellshock, though it is more universal and allegedly works for significant amount of daemons. > So.. it depends! On too much. For me personally shellshock is an easier > exploit but heartbleed can be way more fun. Hmm... have to go with > heartbleed in the end. Real users often use the same password, so that'd > let me take open wifi users by surprise. If you'd want you can take > servers, even though it's a tease harder. -- -------- Phone: 1 (434) 933-2867 Skype: deatos2k My Website: [3]http://www.deatoslabs.com My Security Blog: [4]http://deatos.blogspot.com References 1. mailto:guninski@guninski.com 2. mailto:guninski@guninski.com 3. http://www.deatoslabs.com/ 4. http://deatos.blogspot.com/