This may help

[SleepProgger]

First of all it is a great idea.
But as far as i see there is a problem with your approach.

The BOOT format ( http://www.tcpipguide.com/free/t_BOOTPMessageFormat.htm ) which dhcp uses requires an xid flag (4 byte) which is used as a kind of session id.
This means the best way to send dhcp-acks (or dhcp-offers) to the client (and get them accepted), is to wait till the client send an discover or request packet, and answer with the given xid,

Here a little dirty poc. You have to adjust the hard coded parameter.
You need to bee lucky, or assure the system running this script answers faster as the dhcpd.
https://gist.github.com/SleepProgger/53af448ffd77015ae5ea

I will definitely stick with this for some time now. Thank you for awaking my interest in scapy :), and sorry for spamming your issues (github need pms again)

[mschwager]

Yeah I've been having trouble with the original script. I'm not sure if you can attack a client that has already been established via DHCP. The attack may have to come during the discovery phase. I've added a new script to the repository (https://github.com/mschwager/shellshock_poc/blob/master/shellshock_server.py) that attempts to MitM DHCP connection attempts.

I just added a few lines from this project: https://github.com/david415/dhcptakeover

[SleepProgger]

That is the same script i used to make the first steps (for this project) with it, too :)

If you ACK a REQUEST faster as the dhcp server and spoof the server address the client will store your data, if it is valid.
Just in case you are interested i implemented this idea: https://github.com/SleepProgger/another_shellshock_test/blob/master/shellshock_dhcp.py

[mschwager]

Ahhh, nice. I think one of my problems may have been this:

114    validated    (required changes to /etc/dhcp/dhclient.conf to work on my system)

What change did you have to make to dhclient.conf? Maybe if I try 242 or 80 I'll have better luck.

[SleepProgger]

You need to "define" that code like:
option url-x code 114 = text ;
And add the given name (url-x) to the request block.
ie:
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers, url-x;

But 80, for example, worked for me, too.
You also might need to rm the lease files.
To see what is going on, just start dhclient yourself (maybe add some enter/exit scripts printing the env).