ShellShock Reverse Exploit PoC

Share it!

Hi ! long time since my last post over here, I´ve been busy, but here it is :

Stephane Chazelas discovered a vulnerability related in how environment variables are managed by bash, so if you are able to find a vuln server, like google dorking with some like google:filetype:cgi inurl:cgi-bin, you could easily get shell, escalate privileges, data exfiltration and so on.

There are already a lot of scripts scanning the whole Internet looking for this kind of vuln to get involved in DoS/DDoS attacks, botnet inclusion perl scripts, etc.

His official CVE is CVE-2014-7261, although in the past few days, three vulns have been discovered too, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 y CVE-2014-6277, last by Michael Zalewski, who have not yet disclosed any technical info about it, so be careful.

All these patches have caused developers to write some specific patches that you´re able to download via apt-get on Debian based distros, or yum/yast, OpenBSD, NetBSD and FreeBSD have developed specific C patches in order to avoid this bash enviromental behaviour, but most of sysadmins have to wait bash devs to release subsequent patches.

Solution is easy… keep up to date

To check if your server is vuln, you can carry out these following steps:

– apt-get install git
– git clone https://github.com/hannob/bashcheck/
– cd bashcheck
– ./bashcheck

Also, you can take a deep look at this URL too:

https://github.com/mubix/shellshocker-pocs

For a PoC, I´ve tested pentesterlab vuln iso that you can download right here, and a NSE script for NMAP :)

http://seclists.org/nmap-dev/2014/q3/493

Vuln VM looks like this when running:

shellshock5

What bad guys are doing is to inject bash scripts in parameters like Header, User-Agent, referer… etc, download rootkits and whatever you want.. its a shell :)

So for the PoC, I simply run a revshell to demonstrate how dangerous this exploitation could be, although this kind of vulnerabilities are well known, and you can do some research and training in exploit-exercises.com.

shellshock6

When a tcp port is listening, and wondering if netcat could not be available in target, we can create a tcp socket and send it to our attacker machine that way:

shellshock7

So, our tcp socket is being generated and in a few seconds we can see some like that :

shellshock8

Share it!
Esta entrada fue publicada en Sin categoría. Guarda el enlace permanente.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

*

Puedes usar las siguientes etiquetas y atributos HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>