To see how the Shellshock bug can be used to exploit a SSH server, we need to first configure our SSH server as a vulnerable system. To do so, we will follow these steps:

1. The first step is to add a new user account called user1 on the SSH server system. We must also add /home/user1 as its home directory and /bin/bash as its shell:

Once the account is added, we cross check it by checking the /etc/passwd file.

2. Next, we create a directory for user1 in /home and grant the ownership of this directory to the user1 account:

3. Now, we need to authenticate the attacker to login to the SSH server using the authorization keys. For doing this, we will first generate the authorization keys on the attacker's system, using the following command:

We can see that the public/private keys have been generated.

4. After generating the authorization keys, we will send the public key to the remote SSH server over SFTP. First, we have copied the public key file id_rsa.pub to the Desktop and then we run the following command to connect to the SSH server using SFTP:

When connected, we transfer the file using the put command.

5. Now, on the victim SSH server system, we create a directory called .ssh inside /home/user1/ and then we write the content of the id_rsa.pub file to authorized_keys inside the /home/user1/.ssh/ directory:

6. After this, we edit the configuration file of SSH, etc/ssh/sshd_config, and enable the PublicKeyAuthentication variable. We also check that AuthorizedKeysFile is specified correctly:

7. Once the preceding steps are successfully completed, we can try to log in to the SSH server from the attacker system to see if we are prompted for a password or not:

8. Now, we will create a basic script which will display the message restricted if the user tries to pass the date command as an argument. However, if anything other than date is passed, it will get executed. We will name this script sample.sh:

9. Once the script is created, we can run the given command to give executable permissions to it:

    chmod +x sample.sh

10. After this, we use the command option in the authorized_keys file to run our sample.sh script by adding the path of the script:

Marking the precedings changes in the authorized_keys file, to restrict a user from executing a predefined set of commands, will make the public key authentication vulnerable.

11. Now, from the attacker's system, try connecting to the victim's system over SSH, while passing date as an argument:

We can see the message restricted is displayed due to the script that we have added to the authorized_keys file.

11. Next, we try to pass our Shellshock exploit as an argument, as follows:

We can see that even though we have restricted the date command in this script, it gets executed this time and we get the output of the date command.

12. Now, let's see how we can use Shellshock vulnerability to compromise an Apache server that is running any script that can trigger the bash shell with environment variables.

13. If Apache is not already installed on the victim's system, we must install it by running the following command:

       apt-get install apache2

Once installed, we launch the Apache server using the following command:

        service apache2 start

14. Next, we move to the /usr/lib/cgi-bin/ path and create a script called example.sh with the following code in it, to display some HTML output:

We then make it executable by running the following command:

          chmod +x example.sh

Now from the attacker's system, we try to access example.sh file remotely using command line tool called curl -.

We get the output of the script as expected: Example Page.

15. Now, let's send a malicious request to the server, using curl, to print the content of the /etc/passwd file of the victim's system:

    curl -A '() { :;}; echo "Content-type: text/plain"; echo; /bin/cat /etc/passwd' http://192.168.1.104/cgi-bin/example.sh

Here is the output, but truncated:

We can see the output on the attacker's system, showing us how the victim's system can be remotely accessed using Shellshock vulnerability. In the preceding command, () { :;} ; signifies a variable that looks like a function. In this code, the function is a single :, which is defined as doing nothing and is only a simple command.

16. We will try another command to see the content of the current directory of the victim's system, as follows:

We can see the content of the root directory of the victim's system in the preceding output.