Saturday, September 27, 2014

Reverse Shell via Bash Bug - Shellshock - CVE-2014-6271

In this tutorial, I am going to create reverse tcp shell via bash bug/shellshock. If you guys do not know what is that then kindly refer my first and second tutorial on that.

Before diving into direct reverse tcp shell tutorial, I would like to recap you all guys about reverse tcp shell as this blog is not dedicated to only pros :P like you. (SORRY FOR THE BAD JOKE)

I would like to start this session as an interactive question/answer section.

What the heck is shell?
Shell is nothing but command line interface of any computer in which user enters commands to execute. It can be file/folder/script commands or any system level commands.

What the hell is reverse shell?
-> Reverse shell is give full control of the victim's system to an attacker. It allows attacker to collect, send your data out of the network. An attacker can also fetch username passwords with that. It also enables attacker to scan client's network from inside itself.

Reverse Shell Diagram

As you can see from the diagram that it forces internal system to connect actively to external machine. Here external system is the attacker and internal is the client. Now It will bypass firewall since in most of the network outbound rules are not set properly. They just want to block incoming traffic, so firewall will not hesitate if it's host machine will make a bond with outside network.

Techniques by which reverse shell can be installed/run/setup on client's machine
  • Physical access
  • Social engineering technique
  • Any email attachment that can install reverse shell program
  • Any vulnerable program/script which is running on web or any other service online.
  • Legitimate program that can act like a reverse shell.
I particularly highlighted 4th point as in our reverse shell tutorial, we are going to use this. Client's machine has vulnerable version of BASH and we are going to exploit that.

Reverse shell uses following convert channel
  • Netcat (tcp/udp)
  • Cryptcat (if encryption is used) (tcp/udp)
  • Loki & Ping tunnel (Icmp)
  • stunnel(ssl)
  • Secure shell (ssh)
 For our demonstration we are going to use netcat so here is the diagram.

Theoretical Steps
1. Attacker will start listening on 80 port.
2. 3rd party machine will tell internal system(client machine) to connect/setup a connection with attacker's machine va nc(netcat).
3. As soon as command gets executed on client's machine, attacker is listening on port so reverse shell will be setup and attacker will have a root access of client's machine.

Step 1 : Observe in the screenshot that this is my vulnerable machine which has ip address. Web application is accessible by this ip address which has CGI script vulnerable to bash bug.(Means bash is vulnerable on that system)

Step 2: Observe in the screenshot that this is attacker's machine, in which I have started netcat which is listening on 4444 port. I am not going to explain commands in details as they are already mentioned at many places. So kindly go and check what each option of command does.

Step 3: Now i am sitting in my windows 8 box and opening application also my burp suite is running and I am capturing request of cgi file. In user agent I am giving nc command. See that carefully.

Here i am telling client to connect to the attacker's box. Make sure that is my KALI linux's IP which is attacker itself. Also keep in mind that on the same port my kali is listening for connection to be setup.

Step 4: As you can see in below pic that session has been established successfully and it says unknown host is connected which is victim's box.

Step 5: Now to make sure which box is this i am giving whoami command which will tell me the current user loggged in into that box.

Step 6: Now since I am into victim's box I can play around it. Below some screenshot suggests that I am playing with victim's box.

Thus how bash bug can be used to setup a reverse shell in order to gain root access by bypassing the firewall.

1.  (PDF  - Author - Richard Hammer 2006)

1 comment:

Anonymous said...

Thanks mate !