Bash is vulnerable to command injection using environment variables. When an application takes user input and uses setenv() a malicious actor is able to execute commands on the target in the security context of the running application. This exploit implements a DHCP server that listens for DHCP Request packets. DHCP Response packets are sent with a payload that will generate a shell script in /tmp/s.sh and execute it. By default the shell script executes a netcat call back shell on the specified port. The payload of the exploit can be modified by changing exploits/s.sh
Successful exploitation over DHCP is a race against the real DHCP server on the network. On some affected systems the payload will execute even when the race is lost however the reliability of the exploit will vary. Due to network latency reliability attacking from wireless networks is reduced. It is possible that networking will have to be restarted manually on the client in some cases.
Install the appropriate bash patch for your system.