Exploiting Shellshock in User-Agent headers (CWE-78)

     I've been  surprised by how few, compared, there are articles on Shellshock on the internet. It's one of this vulnerability classified as CWE-78 - Improper Neutralization of Special Elements used in an OS Command, also known as OS Command Injection. This vulnerability allows one to execute OS commands in a remote (or local) host with very little to no limitations, apart from the privileges the running software is running. Usually IDS takes little to no actions against such attacks, and they're easy to bypass anyways, using either base64 encoding or such.

     Shellshock exploitation is as simple as it can get it most cases. You'll most commonly encounter Shellshocks on .cgi pages, which, though, usually require administrator account privileges. Because of this, Shellshock will probably be your second stage of exploitation. The vulnerability itself is usually done trough User-Agent header. The packet with the payload is easy to craft itself, since the only line required for exploitation is the following:
          User-Agent: () { :; }; <cmd>
     You're right. It's that simple. User-Agent header, brackets, then inside curly brackets colon, semicolon, and then outside a semicolon again, and then goes the command to be executed on the target's Operating System. Though, sometimes, Web Servers deny requests with no valid User Agent specified. In such cases, you can add a dummy User Agent:
          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0 { :; }; <cmd>
    Since you have went around the Web Server protection against packets with no valid User Agent, you might encounter an IDS fighting with command injection, but these cases do not happen often. You can try base64 converting your payload and then sending the packet to the target, in example, on your local machine:
          user@host:~$ echo -n '<cmd>' | base64 
     Copy the output of the command, and use it instead of the <base64 cmd> in the packet:
          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0 { :; }; $(echo '<base64 cmd>' | base64 -d)
     This way you should bypass some of the most common IDS software. What is being done here is quite simple, in general. The part inside the brackets decodes the base64 payload, meanwhile the $ before the brackets indicate that the output will be executed. This trick only works, though, if the IDS isn't blocking the character ' | '. If it does, try url encoding it and as well some other characters. ' | ' can be replaced with '%7C', ' ' ' can be replaced with '%27', ' < ' with '%3C' and ' > ' with '%3E'
     Your full packet might look something like this:

     GET /index.php HTTP/1.1
     User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:10.0)

 Gecko/20100101 Firefox/10.0 { :; }; $(echo '<base64 cmd>' | base64 -d) 
     Host: <target host>
     Accept-Language: en-us
     Accept-Encoding: gzip, deflate
     Connection: Keep-Alive

     The easiest ways to exploit this from the Terminal are using either NetCat or cURL. NetCat has no special syntax,

     user@host:~$ nc <host> 

meanwhile, the cURL variant, being a big harder to remember, isn't that hard either:

     user@host:~$ curl -H "User-Agent: <full User-Agent payload>" <target host>

     In conclusion, Shellshock, being a great example of CWE-78 - OS Command Injection gives one a great opportunity to learn fighting IDS and crafting payloads, which can be used in further exploit development in more advanced cases.