search

Shellshock

hashtag
Shellshock

  • Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.

  • The Shellshock vulnerability was discovered by Stéphane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.

  • Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.

hashtag
Initial Scan

┌──(root㉿INE)-[~]
└─# sudo nmap -A demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-29 20:17 IST
Nmap scan report for demo.ine.local (192.181.152.3)
Host is up (0.000067s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((Unix))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (Unix)
MAC Address: 02:42:C0:B5:98:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/29%OT=80%CT=1%CU=30970%PV=N%DS=1%DC=D%G=Y%M=0242
OS:C0%TM=692B07AA%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%
OS:TS=A)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=
OS:M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WI
OS:N(W1=7C70%W2=7C70%W3=7C70%W4=7C70%W5=7C70%W6=7C70)ECN(R=Y%DF=Y%T=40%W=7D
OS:78%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.07 ms demo.ine.local (192.181.152.3)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.76 seconds

A CGI script is running on the target server.

hashtag
Shell sock Nmap scan

hashtag
Exploitation with Burp

Start Burp Suite, navigate to proxy, and turn on the intercept.

Reload the page and intercept the request with Burp Suite.

Right-click and select “Send to Repeater” Option and Navigate to the Repeater tab.

Modify the User-Agent and inject the malicious payload.

Payload:

The command executed successfully.

Modify the payload to execute the ‘id’ command.

Payload:

Step 13: Modify the payload to execute ‘ps -ef’ command.

Payload:

hashtag
Metasploit shellshock auxilliary scanner

hashtag
Exploiting shellshock with Metasploit

Upon running the check, we find that the website is indeed vulnerable to the Shellshock exploit. Now, let’s proceed by exploiting this vulnerability using another Metasploit module:

Let’s first review the available options to see what we need to properly exploit this vulnerability:

Press enter or click to view image in full size

Press enter or click to view image in full size

For this exploit, we need to specify three parameters: RHOSTS, TARGETURI, and LHOST. In my case, the default listening IP is set to localhost, but since we don't need a shell on the localhost, we need to update it. To set the LHOST option, open a new terminal and run the ifconfig command to obtain your machine's IP address.

Press enter or click to view image in full size

Press enter or click to view image in full size

After executing the exploit, we successfully obtain our Meterpreter session.

PreviousWebdavNextMISC

Last updated