How to Exploit the ShellShock/Bash Bug CVE-2014-6271 Vulnerability

-
The "Shellshock" or "Bash Bug" vulnerability was discovered on September 24, 2014. This vulnerability was assigned the CVE classifer CVE-2014-6271. According to NIST, "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution" (https://nvd.nist.gov/vuln/detail/CVE-2014-6271).


To exploit this vulnerability, I used an infected virtual machine installed on a Hyper-V instance. The machine itself was downloaded from a lab in PentesterLab (https://pentesterlab.com). I also used a virtualized image of Kali Linux (see image below for version and OS details). Additional tools used were Burp Suite (which comes pre-installed on Kali, and the FoxyProxy addon module for FireFox (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard).
Once the vulnerable machine was installed on Hyper-V, my first step was to assign it a static IP address using the command sudo ifconfig eth0 192.168.1.5 netmask 255.255.255.0
To ensure the static IP was set, use the command ifconfig  
I followed this by opening Burp Suite in Kali and bound the proxy listener to loopback only (127.0.0.1) and to listen on port 8181. Additionally, I disabled the interceptor as it was not needed to perform this exploit.
The next thing I did was setup FoxyProxy in the web browser with the local host address and port 8181. I named this proxy 'Adam's Proxy'. Once it was configured, I enabled all traffic to be routed through the proxy.
Next, I opened the Firefox web browser in my Kali instance and navigated to the vulnerable machine.
Since  ShellShock/Bash Bug CVE-2014-6271 uses the CGI as the attack vector for this vulnerability, I sent this to the repeater to start manipulating parameters to see how I can begin exploiting the vulnerability.
To test for the ShellShock/Bash Bug CVE-2014-6271, I changed the User-Agent field to run the command ( ) { :;}; echo $(</etc/passwd) which returned the information in the passwd file.
I decided it would be much more interesting to open a shell to execute commands on the vulnerable machine. To do this, I changed the User-Agent to run the following command: ( ) { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh
This command listens on the local machine over port 9999 for any connections.
As you can see, there were no errors returned. Next, I opened a netcat session on my local machine to listen to port 9999 on the vulnerable box. From here, I was able to execute commands and root the machine.
Next, I wanted to see if I could create a reverse shell. Since most machines in the wild will have some sort of firewall that block attackers from access over random ports, I am going to connect over known open posts used for web servers (80, 443).

Comments

Post a Comment

Popular posts from this blog

Master Port List

-
TCP  0  Reserved TCP  1  Port Service Multiplexer TCP  2  Management Utility TCP  3  Compression Process TCP  4  Unassigned TCP  5  Remote Job Entry TCP  6  Unassigned TCP  7  Echo TCP  8  Unassigned TCP  9  Discard TCP  10  Unassigned TCP  11  Active Users TCP  12  Unassigned TCP  13  Daytime (RFC 867) TCP  14  Unassigned TCP  15  Unassigned [was netstat] TCP  16  Unassigned TCP  17  Quote of the Day TCP  18  Message Send Protocol TCP  19  Character Generator TCP  20  File Transfer [Default Data] TCP  21  File Transfer [Control] TCP  22  SSH Remote Login Protocol TCP  23  Telnet TCP  24  any private mail system TCP  25  Simple Mail Transfer TCP  26  Unassigned TCP  27  NSW User System FE TCP  28  Unas...
Read more

Installing and Configuring WebGoat

-
Image
After doing some research, I found WebGoat. WebGoat is a deliberately insecure web application developed by the Open Web Application Security Project (OWASP) and was developed to teach users how to learn web application penetration testing. More information on OWASP can be found at https://www.owasp.org . To install WebGoat, the following is needed: Linux (for my purposes, I am using Kali Linux) https://www.kali.org/downloads/   Apache Tomcat http://tomcat.apache.org/ WebGoat https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar Java https://www.java.com/en/download/help/linux_x64_install.xml It is important to note that many Linux systems come preconfigured with Java out of the box. An easy way to find out is by running the simple command java -version The architecture of WebGoat is very simple. The diagram below shows exactly what is required (other than the Java dependency). Steps to Installing and Configuring WebGoat ...
Read more

Exploiting File Upload Vulnerabilities with DVWA

-
Image
This exercise explores vulnerabilities associated with file uploads. The target machine was the Damn Vulnerable Web Application (DVWA) found at http://www.dvwa.co.uk/ however, this web application came preinstalled with Metasploitable 2 found at https://information.rapid7.com/metasploitable-download.html . DVWA, according to its website, “is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment” ( http://www.dvwa.co.uk/ ). Metasploitable “is virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX),” ( https://information.rapid7.com/metasploitabl...
Read more