It’s been called the worst vuln since HeartBleed (thank god we have a marketing department to come up with the names now) but just how bad can it be?

Well if you have a website that makes use of CGI then it’s not great news, an attacker can use the bug to force your web server to make a connection back to their server. Now I am not saying that ALL sites that run CGI are going to be vuln but a few will be.

Let’s have a look at just how easy it would be for an attacker or a pen tester to gain access to your server using this bug. For this demo we are going to need a few things:

  1. Kali linux (or what ever security distro you like)
  2. Pentester Lab: CVE-2014-6271: ShellShock virtual machine
  3. Coffee – as in a cup of.

The setup I have running is as follows:

Victim IP:

Hacker IP:

First lets run an NMAP scan over the server and see what we can find:


Ok so we have a couple of ports open, one of them is port 80 so the server is hosting some kind of website. Open up your

favourite browser and check it out.

By looking at the site you can see that it’s a dynamic site showing some stats about the server.

Check the source code to see what generates this site:


The site is generated by a CGI script. This is good news for us as we know that some sites are vuln to the ShellShock bug so could be a way in.

Let try and pop a shell back to our box. Using Curl we can send an HTML head request to the server with some code injected into it that will open a connection back to our server:


So here we are telling the server to redirect /dev/tcp to on port 4444. On our server we launch NC telling it to wait for a connection:


Right execute our curl command and see what happens:


YES! We have a shell on the remote server 🙂 So as you can see it’s easy to pop a shell on a vulnerable site…

Leave a Reply