bidslasas.blogg.se - Netcat reverse shell shellshock

NETCAT REVERSE SHELL SHELLSHOCK INSTALL

Since I’m using Kali Linux, both cURL and Netcatare already installed but you may need to install these on your machine if you are following along. In the case of our demonstration we are going to set-up a Reverse Shell which will allow the attacking machine execute commands on the target machine.

When we have two Netcat instances connected to each other, we can start to do some interesting things. One of the many uses of Netcat is the ability to set up Netcat in either Listening or Server modes. We will also use a tool called Netcat this is a network tool that can be used to read and send data over the network. It’s not a graphical browser (such as Firefox, IE or Chrome) but instead fetches the content of the pages in a raw format. Another option (and the one used in this demo) is to use cURL, this is a command line tool that allows us to interact with web-servers and have a finer level of control over what is being sent. One option would be to use a HTTP proxy such as OWASP ZAP, Burp Suite, Fiddler or Charles Proxy these allow you to intercept HTTP traffic and alter the HTTP request that is being sent. In the case of normal browsing, we have little control over items the HTTP headers as these are set by the browser however other tools exist to allow us to alter these values. However HTTP Headers are common to all pages so we will focus our attentions on these. It’s worth noting that if a page had query or form parameters then these would also be converted into environment parameters that can be accessed. This is where the Shellshock vulnerability lies, since we saw earlier that setting a parameter to a function and then appending our malicious payload after the function definition causes the payload to be executed automatically. Apache has taken the standard HTTP headers, created environment parameters and passed these to the CGI script.

You can see from this that the list of environment variables available to the CGI script includes items such as HTTP_USER_AGENT and REQUEST_METHOD. When I navigate to I see the following page. This is a really simple script that displays a basic HTML page but includes an output of the environment variables available to the CGI script ( echo $(env)).

Ensured the file was executable ( chmod 755 /usr/lib/cgi-bin/shellshock.cgi).

Created a simple Bash CGI file ( cgi) in the specified location ( /usr/lib/cgi-bin).

Confirmed the location of the CGI-Bin files for the default website ( cat /etc/apache2/sites-enabled/000-default | grep ScriptAlias).

Started Apache from the command line ( /etc/init.d/apache2 start).

So knowing this, we can begin to see how the lessons learnt in the previous post can be applied to a web-server. From our earlier experiments with Bash we have seen that we can inject arbitrary commands if we set a parameter to be function and add our payload commands after the function definition. When using CGI scripts to generate dynamic web pages, what happen beneath the covers is that header, query and form parameters are made available to the CGI script in the form of environment variables. However, consider that CGI_bin scripts can be written in many different languages (Perl, Python etc.) so not all may be affected by Shellshock. In fact a Google search of inurl:cgi_bin yielded about 520 million hits. This was for convenience but, firewalls aside, this should work against a remote server just the same.įor those of you more used to more modern web frameworks, creating a website using Bash based CGI_bin scripts may seem quaint but they do still exist. For this demonstration I used a single Linux machine acting as both the target web-server and the attacking machine. To show this in action, we’ll create a simple Bash CGI script and host it on an Apache web-server. If in doubt ask permission from the system administrator.

In this post we’ll look at how Shellshock may impact web-servers that use the bash shell for scripting.īefore we get started – remember that testing for Shellshock on systems that you do not have permission to do so may mean you fall foul of local laws. In the previous post we looked at what the classic Shellshock behaviour is from the command line.