Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2014-6271 PoC — GNU Bash 远程代码执行漏洞

Source
https://github.com/dlitz/bash-cve-2014-6271-fixes
Associated Vulnerability
Title:GNU Bash 远程代码执行漏洞 (CVE-2014-6271)
Description:GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Description
Collected fixes for bash CVE-2014-6271
Readme
CVE-2014-6271 patches for bash

The original mailing list post only lets you fetch the patches over
unauthenticated HTTP.  *Sigh*

I've downloaded these over HTTP and put them into a git repository that you can
fetch over HTTPS and check independently.

I have not checked whether these files are authentic, but you can check
independently whether you have the same files.

- [Original announcement](announcement.txt)
- [SHA256SUMS](SHA256SUMS)

== Upstream patches ==

Retrieved from `http://ftp.gnu.org/pub/gnu/bash/bach-*-patches/`

- [upstream/bash30-017](upstream/bash30-017)
- [upstream/bash31-018](upstream/bash31-018)
- [upstream/bash32-052](upstream/bash32-052)
- [upstream/bash40-039](upstream/bash40-039)
- [upstream/bash41-012](upstream/bash41-012)
- [upstream/bash42-048](upstream/bash42-048)
- [upstream/bash43-025](upstream/bash43-025)

== Debian ==

Retrieved using apt-get source bash (version 4.2+dfsg-0.1+deb7u1).  I'm not
sure if apt did a gpg signature check on this.

- [debian/CVE-2014-6271.diff](debian/CVE-2014-6271.diff)

== My own patches ==

- [dlitz/CVE-2014-6271\_4.3-9.diff](dlitz/CVE-2014-6271_4.3-9.diff)
    - This is bash43-025 applied to Debian bash 4.3-9 (from sid)

== SHA256SUMS ==

- [SHA256SUMS](SHA256SUMS)

<pre>
427c3ba3e0d6ea29b8ddbfc2fa48f0f90fbd68d38501a409ba0beb73840245d3  upstream/bash30-017
80f15b2719f3acd746edbe828f23b80116ca033b870120301256131eaa5050b3  upstream/bash31-018
a0eccf9ceda50871db10d21efdd74b99e35efbd55c970c400eeade012816bb61  upstream/bash32-052
09de2a4309fdcdff470754357073b6e9b1e4662add5981888acba27a53954a1e  upstream/bash40-039
272e24a9a2802e896b20dae7c88d6a34b8dc89692c9bc90542cd4bda77607b6d  upstream/bash41-012
751a5d2330b21ac9aba7323acbbc91c948285f30a4bb41f56796f9a36b983d24  upstream/bash42-048
1e5186f5c4a619bb134a1177d9e9de879f3bb85d9c5726832b03a762a2499251  upstream/bash43-025
a197e03ea8e39d7f0cda14367bae1e5880384d50235516dfcd20921dc3810e57  debian/CVE-2014-6271.diff
</pre>
File Snapshot

 [4.0K]  /data/pocs/869637617971779d6a284409e48329025dc36ff6
├── [4.2K]  announcement.txt
├── [4.0K]  debian
│   └── [2.5K]  CVE-2014-6271.diff
├── [4.0K]  dlitz
│   └── [3.5K]  CVE-2014-6271_4.3-9.diff
├── [1.9K]  README.md
├── [ 874]  SHA256SUMS
└── [4.0K]  upstream
    ├── [3.2K]  bash30-017
    ├── [3.1K]  bash31-018
    ├── [3.2K]  bash32-052
    ├── [3.2K]  bash40-039
    ├── [3.2K]  bash41-012
    ├── [3.2K]  bash42-048
    └── [3.8K]  bash43-025

3 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →