For pentesting purposes I have created a Docker container that uses a vulnerable version of bash.
This docker container is based on Debian Wheezy and has been modified to use a vulernable version of Bash (bash_4.2:2b:dfsg-0.1).
A web application is available via Apache 2 and serves a CGI script which runs shell commands.
Install the container with
docker pull hmlio/vaas-cve-2014-6271
Run the container with a port mapping
docker run -d -p 8080:80 hmlio/vaas-cve-2014-6271
You should be able to access the web application at http://your-ip:8080/.
The web application/vulnerable bash version can be exploited as shown below:
The concept and the web application are heavily inspired by the VulnHub VM "Sokar", created by rasta_mouse. For further details please see https://www.vulnhub.com/entry/sokar-1,113/.