Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

CVE-2014-6271/Shellshock

Introduction

On 24 September 2014 a vulnerability was published under the name “CVE-2014-6271” aka “Shellshock“.
The nature of Shellshock was that with the vulnerable versions of bash (Unix Bourne-again shell), it was possible to inject code into bash and let it execute arbitrary commands. After the first found vulnerability there were more vulnerabilities found and most known versions were patched.
For educational purposes I’m going to examine a virtual lab from pentesterlab.com.
The course description details the exploitation of the vulnerability CVE-2014-6271. This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

Location

https://www.pentesterlab.com/exercises/cve-2014-6271

Enumeration

I know that this machines sole purpose is exploiting shellshock, but I still run nikto.

As you can see, the outlined strings show that there is a ‘shellshock’ vulnerability ready to be exploited.
Now for the exploit. Because of the vulnerability I can inject code and let bash execute my commands.
I can do this with a simple thing as Curl.

As shown I use the magic string () { :;}; and I get remote code execution.

Reverse shell

I got RCE, but to really get into the remote machine, I prefer a reverse shell.
There are several scenarios for getting a reverse shell here. As netcat is running on the remote system, I could tunnel out to a listener on my local system. Also I could create a payload with msfvenom and wget it onto the remote system using SimpleHTTPServer or in this case use metasploit to create a reverse shell.

There you go.

Explanation

Symantec has a real nice overview on how the exploit works.
shellshock-command-diagram-600px_v2
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.