Preface
Here I am going to introduce a toolkit to help us to run Metasploit on CVE-2014-6271 (Shellshock):
Before we step forwrd, please make sure you have Kali Linux (download) ready and prepare one Linux/Unix VM OS as an exploitable target. Because we will run the toolkit introduced here inside exploitable target, so make sure the exploitable target has below environment:
Toolkit Usage
Toolkit - SimpleHttp.groovy is written in groovy script, so you can open it and edit it. Please edit it for configuration setting before using it:
From configuration, you can:
Start Http Service At Exploitable Target
According to CVE-2014-6271, this CVE will only take effect on Bash under specific version. However, through this toolkit, this limitation is no longer a problem. This toolkit will be always exploitable because of customized code. So our first step is to start the Http Service with this toolkit.
This toolkit will require Flib.jar library. So please make sure it exist in the libs folder (Under execution work space). Then start the service with below command:
Then you can type in http://172.16.58.50/bash into the browser to make sure it works:
(If you can't access the URL correctly, please check the firewall setting.)
So far, our exploitable target is ready to be exploit. Next step is to use Metasploit to do the testing.
Run CVE-2014-6271 Through Metasploit
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF:
Let's search CVE-2014-6271:
Here we are going to exploit apache mod_cgi. So let use it:
Let's check how to use this exploit:
For all required settings which are empty, we need fill them with proper value according to our exploitable target:
So now every required options are ready. Next is to check if the exploitable target is exploitable:
Let's move back to the console of toolkit and check what kinds of data is sent to us:
(The highlight part is the exploit code to attack target with cve-2014-6271)
Finally, we are going to exploit exploitable target and build-up a reverse-shell to control it:
Supplement
* Rapid7 - Dhclient Bash Environment Variable Injection
* Rapid7 - OS X VMWare Fusion Privilege Escalation v...ash Environment Code Injection
* Rapid7 - DHCP Client Bash Environment Variable Code Injection
* Rapid7 - Pure-FTPd External Authentication Bash En...onment Variable Code Injection
* Rapid7 - Apache mod_cgi Bash Environment Variable RCE Scanner
* Rapid7 - Apache mod_cgi Bash Environment Variable Code Injection
* Wiki - Shellshock
Here I am going to introduce a toolkit to help us to run Metasploit on CVE-2014-6271 (Shellshock):
Before we step forwrd, please make sure you have Kali Linux (download) ready and prepare one Linux/Unix VM OS as an exploitable target. Because we will run the toolkit introduced here inside exploitable target, so make sure the exploitable target has below environment:
Toolkit Usage
Toolkit - SimpleHttp.groovy is written in groovy script, so you can open it and edit it. Please edit it for configuration setting before using it:
- ...
- /***************************************************************
- * - Configuration
- ***************************************************************/
- def useIPv6=false
- int listenPort=80
- int backLog=0
- def listenNIF="eth0"
- def listenAddr=""
- ...
Start Http Service At Exploitable Target
According to CVE-2014-6271, this CVE will only take effect on Bash under specific version. However, through this toolkit, this limitation is no longer a problem. This toolkit will be always exploitable because of customized code. So our first step is to start the Http Service with this toolkit.
This toolkit will require Flib.jar library. So please make sure it exist in the libs folder (Under execution work space). Then start the service with below command:
Then you can type in http://172.16.58.50/bash into the browser to make sure it works:
(If you can't access the URL correctly, please check the firewall setting.)
So far, our exploitable target is ready to be exploit. Next step is to use Metasploit to do the testing.
Run CVE-2014-6271 Through Metasploit
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF:
Let's search CVE-2014-6271:
Here we are going to exploit apache mod_cgi. So let use it:
Let's check how to use this exploit:
For all required settings which are empty, we need fill them with proper value according to our exploitable target:
So now every required options are ready. Next is to check if the exploitable target is exploitable:
Let's move back to the console of toolkit and check what kinds of data is sent to us:
(The highlight part is the exploit code to attack target with cve-2014-6271)
Finally, we are going to exploit exploitable target and build-up a reverse-shell to control it:
Supplement
* Rapid7 - Dhclient Bash Environment Variable Injection
* Rapid7 - OS X VMWare Fusion Privilege Escalation v...ash Environment Code Injection
* Rapid7 - DHCP Client Bash Environment Variable Code Injection
* Rapid7 - Pure-FTPd External Authentication Bash En...onment Variable Code Injection
* Rapid7 - Apache mod_cgi Bash Environment Variable RCE Scanner
* Rapid7 - Apache mod_cgi Bash Environment Variable Code Injection
* Wiki - Shellshock
沒有留言:
張貼留言