Top 10 Metasploit Modules for Exploitation of ShellShock Vulnerability

A vulnerability in GNU Bash could allow an unauthenticated, remote attacker to inject arbitrary commands so called as ShellShock Vulnerability. The vulnerability is due to improper processing of environment variables by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by submitting malicious environment variable values to an application using Bash. Processing the values could allow the attacker to inject arbitrary commands on the system that would run in the security context of the targeted application.

Suggested Read: Pentester Lab Activity for Exploitation of ShellShock

Here we’ve listed out top 10 Metasploit Modules which you can further use for the exploitation of ShellShock Vulnerability or Bash Bug Vulnerability.

1. OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the VMWare Fusion application, allowing an unprivileged local user to get root access.

Module Name – exploit/osx/local/vmware_bash_function_root

2. Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the Pure-FTPd FTP server when it has been compiled with the –with-extauth flag and an external Bash script is used for authentication. If the server is not set up this way, the exploit will fail, even if the version of Bash in use is vulnerable.

Module Name – exploit/multi/ftp/pureftpd_bash_env_exec

3. Qmail SMTP Bash Environment Variable Injection (Shellshock)

This module exploits a shellshock vulnerability on Qmail, a public domain MTA written in C that runs on Unix systems. Due to the lack of validation on the MAIL FROM field, it is possible to execute shell code on a system with a vulnerable BASH (Shellshock). This flaw works on the latest Qmail versions (qmail-1.03 and netqmail-1.06). However, in order to execute code, /bin/sh has to be linked to bash (usually default configuration) and a valid recipient must be set on the RCPT TO field (usually admin@exampledomain.com). The exploit does not work on the “qmailrocks” community version as it ensures the MAILFROM field is well-formed.

Module Name – exploit/unix/smtp/qmail_bash_env_exec

4. Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner

This module scans for the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

PROTIP: Use exploit/multi/handler with a PAYLOAD appropriate to your CMD, set ExitOnSession false, run -j, and then run this module to create sessions on vulnerable hosts. Note that this is not the recommended method for obtaining shells. If you require sessions, please use the apache_mod_cgi_bash_env_exec exploit module instead.

Module Name – auxiliary/scanner/http/apache_mod_cgi_bash_env

5. CUPS Filter Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables. A valid username and password is required to exploit this vulnerability through CUPS.

Module Name – exploit/multi/http/cups_bash_env_exec

6. DHCP Client Bash Environment Variable Code Injection (Shellshock)

Module Name – auxiliary/server/dhclient_bash_env

7. Advantech Switch Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets the ‘ping.sh’ CGI script, accessible through the Boa web server on Advantech switches. This module was tested against firmware version 1322_D1.98.

Module Name – exploit/linux/http/advantech_switch_bash_env_exec

8. IPFire Bash Environment Variable Injection (Shellshock)

IPFire, a free Linux based open source firewall distribution, version <= 2.15 Update Core 82 contains an authenticated remote command execution vulnerability via shellshock in the request headers.

Module Name – exploit/linux/http/ipfire_bashbug_exec

9. Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

Module Name – exploit/multi/http/apache_mod_cgi_bash_env_exec

10. Dhclient Bash Environment Variable Injection (Shellshock)

This module exploits the Shellshock vulnerability, a flaw in how the Bash shell handles external environment variables. This module targets dhclient by responding to DHCP requests with a malicious hostname, domain name, and URL which are then passed to the configuration scripts as environment variables, resulting in code execution. Due to length restrictions and the unusual networking scenario at the time of exploitation, this module achieves code execution by writing the payload into /etc/crontab and then cleaning it up after a session is created.

Module Name – exploit/unix/dhcp/bash_environment

Post Views: 1,378

You may also like: